// For flags

CVE-2025-4302

Stop User Enumeration < 1.7.3 - Protection Bypass

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

The Stop User Enumeration WordPress plugin before version 1.7.3 blocks REST API /wp-json/wp/v2/users/ requests for non-authorized users. However, this can be bypassed by URL-encoding the API path.

The Stop User Enumeration plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.7.2. This is due to the plugin not restricting URL encoded paths from returning user data. This makes it possible for unauthenticated attackers to enumerate WordPress users.

*Credits: Stan, Chin Siang Leow, WPScan,Stan,Chin Siang Leow
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2025-05-05 CVE Reserved
  • 2025-06-26 CVE Published
  • 2025-07-17 First Exploit
  • 2025-07-25 CVE Updated
  • 2025-08-18 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-693: Protection Mechanism Failure
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Unknown
Search vendor "Unknown"
 Stop User Enumeration
Search vendor "Unknown" for product "Stop User Enumeration"
 < 1.7.3
Search vendor "Unknown" for product "Stop User Enumeration" and version " < 1.7.3"
en
Affected