[wp-trac] [WordPress Trac] #60022: Security tool reporting CORS vulnerability on wp-json
WordPress Trac
noreply at wordpress.org
Wed Dec 6 18:53:32 UTC 2023
#60022: Security tool reporting CORS vulnerability on wp-json
--------------------------+----------------------
Reporter: sitebolts | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: General | Version:
Severity: normal | Resolution: invalid
Keywords: | Focuses:
--------------------------+----------------------
Changes (by TimothyBlynJacobs):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
Hi @sitebolts,
Welcome to Trac!
Yes, the REST API has an intentionally public CORS configuration. It uses
the WordPress nonce system to prevent attacks.
You can read more here: https://developer.wordpress.org/rest-api
/frequently-asked-questions/#why-is-the-rest-api-not-verifying-the-
incoming-origin-header-does-this-expose-my-site-to-csrf-attacks
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60022#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list