[wp-trac] [WordPress Trac] #53784: Limiting user enumeration through the REST API
WordPress Trac
noreply at wordpress.org
Mon Aug 5 18:53:21 UTC 2024
#53784: Limiting user enumeration through the REST API
-------------------------------------------------+-------------------------
Reporter: ehtis | Owner: (none)
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Future
| Release
Component: REST API | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests has- | Focuses: rest-api,
screenshots dev-reviewed changes-requested | privacy
-------------------------------------------------+-------------------------
Comment (by ironprogrammer):
For clarification regarding the security update to 6.3.2 in comment:19,
that fix addresses the case where the `search` param is used directly on
the Users endpoint.
However, as originally reported, a `search` query against the Comments
endpoint remains vulnerable to oracle-style attacks, e.g. `/wp-
json/wp/v2/comments?search=@`, to discover commenter emails. This
ticket/concern remains valid IMHO.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53784#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list