#52858 closed defect (bug) (duplicate)
Wp-json Accessible from Outside
Reported by: | stavrosomo | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | 5.6.2 |
Component: | REST API | Keywords: | |
Focuses: | Cc: |
Description
The route "wp-json" cannot be accessible when a user is not registered to the website or not logged in to the website. But it is accessible even when a user has a "Subscriber" role. That means that he can just subscribe to the newsletter of any website and be able to see the website user details and attack on the wp-json route which is open to any user. I guess this is a major issue that needs to be sorted out asap. I hope that will help sort this issue out!
Change History (3)
#1
follow-up:
↓ 2
@
4 years ago
- Component changed from Filesystem API to REST API
- Keywords security bug removed
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
#2
in reply to:
↑ 1
@
4 years ago
Replying to SergeyBiryukov:
Hi there, welcome to WordPress Trac! Thanks for the report.
Just noting that this is by design and was previously discussed a few times, most recently in #49110. Let's continue the discussion there.
Hi there,
Thank you for your reply! From what i can see the specific ticket you mentioned is closed as well. I was wondering whether i can ask any question about it since they do not mention having a subscriber being able to view the wp-json data for example.
#3
@
4 years ago
Sure, discussion can continue on closed tickets any time to bring up new points or considerations. Previous participants should get a notification, and there is a number of core contributors following all comments on Trac.
Tickets can also be reopened if there is enough consensus, though I don't think that would be the case here yet.
Hi there, welcome to WordPress Trac! Thanks for the report.
Just noting that this is by design and was previously discussed a few times, most recently in #49110. Let's continue the discussion there.