I identified an information disclosure issue on the public WordPress instance at https://vidzemesslimnica.lv.

The endpoint /wp-json/wp/v2/users is accessible without authentication and returns a list of real author/user identities (id, name, slug). In addition, /wp-sitemap-users-1.xml publicly exposes author archive URLs.

This allows unauthenticated user enumeration and provides reliable identity data that can be used for targeted phishing and account-guessing campaigns.

Severity assessment: Medium
CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3)

I understand this may be considered low-impact in some programs; I am reporting it as a valid information disclosure with moderate security relevance, not as account compromise.

1. Send unauthenticated request to:
   GET https://vidzemesslimnica.lv/wp-json/wp/v2/users?per_page=10&_fields=id,slug,name

2. Observe HTTP 200 OK and JSON response with real user identities, for example:
   [
   {"id":6,"name":"[REDACTED]","slug":"[REDACTED]"},
   {"id":4,"name":"[REDACTED]","slug":"[REDACTED]"},
   {"id":13,"name":"[REDACTED]","slug":"[REDACTED]"}
   ]

3. Send unauthenticated request to:
   GET https://vidzemesslimnica.lv/wp-sitemap-users-1.xml

4. Observe author URLs are publicly listed, e.g.:
   https://vidzemesslimnica.lv/author/[REDACTED]/
   https://vidzemesslimnica.lv/author/[REDACTED]/

Impact:
Public exposure of valid usernames/author slugs reduces attacker effort for targeted social engineering and credential attack preparation.

Test conditions:

• In-scope target only
• Non-destructive, read-only requests
• No authentication bypass, no brute force, no data modification

• Restrict public access to user enumeration endpoints where possible.
• Disable or limit /wp-json/wp/v2/users exposure for unauthenticated users.
• Disable author sitemap and/or author archives if not business-required.
• Avoid using predictable/public slugs that directly map to login identifiers.
• Apply principle of least disclosure for public metadata.