CVE-2024-6641 identifies a security feature bypass vulnerability in the WP Hardening – Fix Your WordPress Security plugin, specifically within its 'Stop User Enumeration' feature. The root cause is an incorrect regular expression (CWE-185) that fails to properly restrict access to username enumeration endpoints. User enumeration is a common reconnaissance technique where attackers gather valid usernames from a WordPress site to facilitate further attacks such as password guessing or social engineering. Because the plugin is discontinued and all versions up to 1.2.6 are affected, no official patches are available. The vulnerability allows unauthenticated attackers to bypass the intended security restrictions without any user interaction, exposing usernames. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and impacts confidentiality only. While no known exploits have been reported, the exposure of usernames can significantly aid attackers in mounting targeted attacks against WordPress sites still using this plugin. Given the plugin's discontinued status, mitigation options are limited to removal or replacement and additional hardening measures.

The primary impact of this vulnerability is the exposure of WordPress site usernames to unauthenticated attackers. This information leakage can facilitate more effective brute force attacks, credential stuffing, and phishing campaigns targeting site administrators or users. While the vulnerability does not directly compromise data integrity or availability, the confidentiality breach can lead to subsequent attacks with more severe consequences. Organizations running WordPress sites with this discontinued plugin are at risk of reconnaissance by attackers, increasing their overall attack surface. The lack of patches and the plugin's discontinued status exacerbate the risk, as vulnerable installations remain exposed. This can be particularly impactful for high-profile or sensitive WordPress sites, including those used by businesses, government entities, and media organizations, where username exposure can lead to targeted compromise attempts.

Since the WP Hardening plugin is discontinued and no patches are available, the most effective mitigation is to uninstall and remove the plugin entirely from WordPress installations. Site administrators should replace it with actively maintained security plugins that provide robust user enumeration protections. Additionally, implementing web application firewalls (WAFs) with rules to block or rate-limit user enumeration attempts can help mitigate exposure. Enforcing strong password policies and multi-factor authentication (MFA) for all user accounts reduces the risk posed by username disclosure. Monitoring server logs for suspicious enumeration activity and limiting access to REST API endpoints or author archives can further reduce attack surface. Regular security audits and keeping WordPress core and plugins up to date remain critical best practices. Finally, educating site administrators about the risks of discontinued plugins and encouraging timely removal is essential.