Unveiling Vulnerabilities: How I Earned My First Bounty by Securing my Favorite Cyber Security YouTuber’s Website

3 min readJul 13, 2023

In this blog, I will recount my experience of enumerating WordPress users and securing my first bounty from the website of my beloved cybersecurity YouTuber, Linuxndroid . To maintain confidentiality let’s consider the domain name is example.com running WordPress on it.

Below is the step by step POC:

1) Identify whether website is running WordPress on it or not. I manually tested the website and found that the website is using wordpress as a CMS .

2) Method 1: Try to access below endpoint to enumerate WordPress users. If it is protected then you will see custom error like below:

https://www.example.com/wp-json/wp/v2/users/

BUT I FAILED !!!
After some time I noticed that the error is 403 (FORBIDDEN) , which means that file is present there but I don’t have the access to read that file .

SO in order to read the file I need to bypass this security protection .

BYPASS METHOD ( 1 )

CASE SENSITIVITY

We can see that the usual REST route was blocked but updating the path with one uppercase character or more would fool the rewrite rule.
PAYLOAD -: https://www.example.com/wp-json/wp/v2/uSERS/

AND BOOM !!!
I BYPASSED THE SECURITY RULE …. :))))

METHOD 1 BYPASS ( https://www.redacted.com/wp-json/wp/v2/**uSERS**/ )

BYPASS METHOD ( 2 )

HTTP PARAMETER “rest_route”

While Worpdress is configured — by default — to support URL rewriting to have search engine and human friendly URLs like https://website.com/2020/12/breaking-news instead of https://website.com/?p=2678, behind the scene, every request sent to /wp-json/ is entering the index page with the parameter “rest_route” set to /wp/v2/users.
PAYLOAD -:
https://www.example.com/section/news?rest_route=/wp/v2/usErs

AND BOOM !!!
ONCE AGAIN I BYPASSED THE SECURITY RULE …. :))))