Make WordPress Core

#52169 closed defect (bug) (invalid)

REST API - User route security issue

Reported by: rajanit2000 Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.6
Component: REST API Keywords:
Focuses: rest-api Cc:


Hi Team,

I am not sure this is an issue, But someone can guess their usernames (mostly slug).

at least we can hide the slug info in the return JSON values.

Change History (2)

#1 @oglekler
13 months ago

Hi! Profiles Rosetta sites ( users are public and searchable. So, it is no point to hide them from API. In case of personal or company site it can be done but it not supposed to be a very useful measure on a big scale.

For tickets related to these sites is separate Trac:

#2 @TimothyBlynJacobs
13 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @rajanit2000,

Disclosures of usernames is not a security issue. For more info read:

Please note, as the checkbox you had to check before creating this ticket indicated, Trac is not the right place to report suspected security vulnerabilities.

Note: See TracTickets for help on using tickets.