Make WordPress Core

Opened 9 months ago

Closed 9 months ago

#52169 closed defect (bug) (invalid)

REST API - User route security issue

Reported by: rajanit2000 Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.6
Component: REST API Keywords:
Focuses: rest-api Cc:


Hi Team,

I am not sure this is an issue, But someone can guess their usernames (mostly slug).

at least we can hide the slug info in the return JSON values.


Change History (2)

#1 @oglekler
9 months ago

Hi! Profiles Rosetta sites (WP.org) users are public and searchable. So, it is no point to hide them from API. In case of personal or company site it can be done but it not supposed to be a very useful measure on a big scale.

For tickets related to these sites is separate Trac: https://meta.trac.wordpress.org/

#2 @TimothyBlynJacobs
9 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @rajanit2000,

Disclosures of usernames is not a security issue. For more info read: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue

Please note, as the checkbox you had to check before creating this ticket indicated, Trac is not the right place to report suspected security vulnerabilities. https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#where-do-i-report-security-issues

Note: See TracTickets for help on using tickets.