[wp-trac] [WordPress Trac] #52858: Wp-json Accessible from Outside
WordPress Trac
noreply at wordpress.org
Thu Mar 18 20:52:18 UTC 2021
#52858: Wp-json Accessible from Outside
----------------------------+-----------------------------
Reporter: stavrosomo | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Filesystem API | Version: 5.6.2
Severity: major | Keywords: security bug
Focuses: |
----------------------------+-----------------------------
The route "wp-json" cannot be accessible when a user is not registered to
the website or not logged in to the website. But it is accessible even
when a user has a "Subscriber" role. That means that he can just subscribe
to the newsletter of any website and be able to see the website user
details and attack on the wp-json route which is open to any user. I guess
this is a major issue that needs to be sorted out asap. I hope that will
help sort this issue out!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52858>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list