Why the WordPress REST API user endpoint still isn’t fixed and 20170113 Vulnerability Report

Not as many vulnerabilities to report this week (that’s good, right?).  Just four.

20170113 Vulnerable Plugins Report

I would like to mention that one of the security items fixed in version 4.7.1 of WordPress this week isn’t as complete as it initially sounds.

The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.

As I have mentioned a couple of times, exposing your user data publicly is a bad idea and goes directly against OWASP A6 Sensitive Data Exposure.  From the changelog (quoted above) it sounds like in v4.7 your user data was only exposed if the user had authored a public post, but that’s not correct.  When I first heard about the user endpoints in the REST API, I discovered that all users who were capable of publishing were exposed, even if they had never published anything (and don’t forget: your first admin user is automatically added as the author of the example post when installing WordPress). In the v4.7.1 fix, they’ve changed that to be only post types that are to be shown in the REST API, but don’t forget that the default post type is included automatically.

WordPress User details
a WordPress Editor who has never published a post

The above screenshot is from a version 4.7.1 WordPress site that has not had the user endpoints removed. As you can see, the account adamsmel does not have any posts.  In fact, this particular site is brand new and doesn’t have any posts, published or draft, at all.   However, when querying the REST API for users, her account still shows up.

User account still shows up in the return from the REST API user endpoint






Now, it’s possible that the change introduced in version 4.7.1 only affects new user accounts that are added after the 4.7.1 update is applied, but that still leaves millions of sites at risk of exposing their usernames.

I love the REST API; I truly do, but considering the amount of information potentially exposed, it has to be done securely.  Until the REST API can be placed behind authentication, then the WordPress core team needs to remove the default post type from automatically being included in the REST API and remove the user endpoints.  Give developers the ability to expose those endpoints if they want, but don’t make it the default for the millions of WordPress installations that will never see a developer.