CVE-2017-1000226 – Stop User Enumeration plugin <1.3.9 - User Enumeration
https://notcve.org/view.php?id=CVE-2017-1000226
Stop User Enumeration 1.3.8 allows user enumeration via the REST API Stop User Enumeration 1.3.8 permite la enumeración de usuarios mediante la API REST. The Stop User Enumeration plugin for WordPress is vulnerable to User Enumeration in versions up to, and including, 1.3.8. This is due to a flaw that was found in the REST API. This makes it possible for unauthenticated attackers to perform a POST request in the REST API allows simulating different request types. As such, attackers can perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request. • https://security.dxw.com/advisories/stop-user-enumeration-rest-api • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-18536 – Stop User Enumeration <= 1.3.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18536
The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS. El plugin stop-user-enumeration versiones anteriores a 1.3.8 para WordPress, presenta una vulnerabilidad de tipo XSS. The Stop User Enumeration plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser. • https://wordpress.org/plugins/stop-user-enumeration/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •