Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-sany-su2d-73cn
Vulnerability ID VCID-sany-su2d-73cn
Aliases CVE-2017-5487
Summary wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.92497 https://api.first.org/data/v1/epss?cve=CVE-2017-5487
epss 0.92497 https://api.first.org/data/v1/epss?cve=CVE-2017-5487
epss 0.92497 https://api.first.org/data/v1/epss?cve=CVE-2017-5487
archlinux High https://security.archlinux.org/AVG-142
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2017-5487
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5487
851310 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851310
ASA-201701-22 https://security.archlinux.org/ASA-201701-22
AVG-142 https://security.archlinux.org/AVG-142
CVE-2017-5487 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/41497.php
Data source Exploit-DB
Date added March 3, 2017
Description WordPress Core < 4.7.1 - Username Enumeration
Ransomware campaign use Unknown
Source publication date March 3, 2017
Exploit type webapps
Platform php
Source update date May 4, 2017
Exploit Prediction Scoring System (EPSS)
Percentile 0.99732
EPSS Score 0.92497
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T16:32:41.235624+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.0.0