CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2025-4302 – Stop User Enumeration < 1.7.3 - Protection Bypass
https://notcve.org/view.php?id=CVE-2025-4302
26 Jun 2025 — The Stop User Enumeration WordPress plugin before version 1.7.3 blocks REST API /wp-json/wp/v2/users/ requests for non-authorized users. However, this can be bypassed by URL-encoding the API path. The Stop User Enumeration plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.7.2. This is due to the plugin not restricting URL encoded paths from returning user data. This makes it possible for unauthenticated attackers to enumerate WordPress users. • https://wpscan.com/vulnerability/19f67d6e-4ffe-4126-ac42-fb23c5017a3e • CWE-693: Protection Mechanism Failure •
CVSS: 6.1EPSS: 5%CPEs: 1EXPL: 0CVE-2017-18536 – Stop User Enumeration <= 1.3.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18536
15 Jan 2017 — The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS. El plugin stop-user-enumeration versiones anteriores a 1.3.8 para WordPress, presenta una vulnerabilidad de tipo XSS. The Stop User Enumeration plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser. • https://wordpress.org/plugins/stop-user-enumeration/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •