WordPress user registration enabled

What is "WordPress user registration enabled?"

The "WordPress user registration enabled" module is designed to detect whether the user registration feature is enabled on a WordPress website. This module focuses on identifying misconfigurations in the WordPress user registration settings.

This module is authored by Ratnadip Gajbhiye and has an informative severity level.

Impact

If the user registration feature is misconfigured or left enabled without proper security measures, it can potentially lead to unauthorized access, spam registrations, and other security risks. Attackers may exploit this vulnerability to gain unauthorized access to the website or perform malicious activities.

How does the module work?

The "WordPress user registration enabled" module works by sending a GET request to the "/wp-login.php?action=register" endpoint of the target WordPress website. It then applies matching conditions to determine if the user registration feature is enabled.

The matching conditions for this module include:

- Checking if the response body contains the phrases "Register For This Site" and "E-mail". - Verifying that the response status code is 200 (OK).

If both matching conditions are met, the module identifies that the user registration feature is enabled on the WordPress website.

Here is an example of the HTTP request sent by the module:

GET /wp-login.php?action=register

Please note that the actual module definition is not shown here for brevity.