Always get the same users list

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com

https://wpscan.com/wordpress-cli-scanner

Other

8.4k stars 1.25k forks source link

Always get the same users list #343

Closed thepopol777 closed 10 years ago

thepopol777 commented 10 years ago

Hi everyone!

I'm running wpscan on kali linux. I'm only enumerating usernames, but whatever url I put, it always return the same users list O.o

For example, if I type:

wpscan --url http://test.wordpress.com --enumerate u

It returns admin, donncha, matt, 7 and ian.

Any ideas?

ethicalhack3r commented 10 years ago

WPScan is for self hosted WordPress blogs not WordPress hosted (SaaS) WordPress blogs (*.wordpress.com).

thepopol777 commented 10 years ago

So thoses names are the names of the global owners of *.wordpress.com ?

ethicalhack3r commented 10 years ago

I would think so, yea :)

firefart commented 10 years ago

maybe we can implement a warning with confirmation if the url is *.wordpress.com? Maybe there is also a way to detect wordpress.com blogs with own domains.

ethicalhack3r commented 10 years ago

Yea, might be a good idea.

I guess our main 'target market' is pentesters and wordpress admins, the former should already know this but the later may not.