WordPress.org

Make WordPress Core

Opened 7 months ago

Closed 7 months ago

Last modified 7 months ago

#52858 closed defect (bug) (duplicate)

Wp-json Accessible from Outside

Reported by: stavrosomo Owned by:
Milestone: Priority: normal
Severity: major Version: 5.6.2
Component: REST API Keywords:
Focuses: Cc:

Description

The route "wp-json" cannot be accessible when a user is not registered to the website or not logged in to the website. But it is accessible even when a user has a "Subscriber" role. That means that he can just subscribe to the newsletter of any website and be able to see the website user details and attack on the wp-json route which is open to any user. I guess this is a major issue that needs to be sorted out asap. I hope that will help sort this issue out!

Change History (3)

#1 follow-up: @SergeyBiryukov
7 months ago

  • Component changed from Filesystem API to REST API
  • Keywords security bug removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, welcome to WordPress Trac! Thanks for the report.

Just noting that this is by design and was previously discussed a few times, most recently in #49110. Let's continue the discussion there.

#2 in reply to: ↑ 1 @stavrosomo
7 months ago

Replying to SergeyBiryukov:

Hi there, welcome to WordPress Trac! Thanks for the report.

Just noting that this is by design and was previously discussed a few times, most recently in #49110. Let's continue the discussion there.

Hi there,

Thank you for your reply! From what i can see the specific ticket you mentioned is closed as well. I was wondering whether i can ask any question about it since they do not mention having a subscriber being able to view the wp-json data for example.

#3 @SergeyBiryukov
7 months ago

Sure, discussion can continue on closed tickets any time to bring up new points or considerations. Previous participants should get a notification, and there are a number of core contributors following all comments on Trac.

Tickets can also be reopened if there is enough consensus, though I don't think that would be the case here yet.

Last edited 7 months ago by SergeyBiryukov (previous) (diff)
Note: See TracTickets for help on using tickets.