[wp-trac] [WordPress Trac] #48812: REST API: Settings endpoint - read access
WordPress Trac
noreply at wordpress.org
Wed Nov 27 20:58:17 UTC 2019
#48812: REST API: Settings endpoint - read access
------------------------------------------------+----------------------
Reporter: scruffian | Owner: (none)
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: REST API | Version: 4.7
Severity: normal | Resolution: wontfix
Keywords: has-patch 2nd-opinion dev-feedback | Focuses:
------------------------------------------------+----------------------
Changes (by peterwilsoncc):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
I agree with @TimothyBlynJacobs that this is a no go due to security
implications.
A plugin could be registering confidential data via the settings API and
using the REST API to update the options, exposing them in the endpoint as
a result.
The first example that comes to mind is storing a social media access
token or key/secret pair to allow posting via the WordPress admin or
displaying the posts on the site.
There are 75K+ [https://wpdirectory.net/search/01DTQA0QACN9DS2GM35ZJR1SW4
instances of `register_setting()` in the plugin directory] so it's a
pretty safe bet unintended data would become available as a result.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48812#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list