Context
Wordpress Core version < 4.7.1 is subject to user enumeration through the URL
https://wordpress/wp-json/wp/v2/users.
User enumeration can lead to the compromise of wordpress accounts as attackers only have to guess the password of one of the users enumerated.
The scanner can also identify the vulnerability if the Wordpress API is loosely accessible even if the Core version is not vulnerable. This is due to a default lack of access limitation from Wordpress.
Remediation
Wordpress Core version < 4.7.1
If your Wordpress Core version is < 4.7.1, you have to update Wordpress through the admin panel to the latest version available.
If your Wordpress Core version is older
The easiest method to remediate is by installing a security plugin named :
Disable REST API plugin
- From within your WordPress dashboard, go to Add Plugin.
- Search for the plugin called Disable REST API or iThemes Security (or others with good reviews on the same issue).
- Install and activate the plugin, and that's it.