Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#44449 closed defect (bug) (invalid)

WP_REST_Users_Controller->get_item_permissions_check() should return permission error even if user does not exist

Reported by: ste_95's profile Ste_95 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords: close
Focuses: Cc:


Right now, WP_REST_Users_Controller->get_item_permissions_check() returns a different error depending on whether the request user does not exist or the requester does not have permission to list_users.

This is due to an early check on $user:

if ( is_wp_error( $user ) ) {
     return $user;

This is not a real security vulnerability, but it may give away information to an attacker. We probably shouldn't want to give away the fact that a user exists (or not), if the requester does not have permission to pull a list of existing users. Otherwise we are allowing them to (slowly) build a users list by making a multitude of wrong requests. The check above should thus probably go at the bottom of the function, just before the return true;.

Change History (2)

#1 @swissspidy
6 years ago

  • Component changed from Security to REST API
  • Focuses rest-api removed
  • Keywords close added

Disclosure of usernames and user IDs is not a security issue. If you want to get a list of usernames you could just try logging in or use the password reset form to achieve the same.

#2 @TimothyBlynJacobs
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version set to 4.7

Closing per @swissspidy's comment.

Note: See TracTickets for help on using tickets.