Opened 10 months ago
Closed 10 months ago
#60022 closed defect (bug) (invalid)
Security tool reporting CORS vulnerability on wp-json
Reported by: | sitebolts | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
Hi there, we had a client report that they ran a security tool and received a CORS vulnerability warning on their wp-json endpoint.
They've unfortunately forgotten what tool they ran, but a quick Google search shows that other people have received similar messages.
A few threads I've found say that it's no big deal since wp-json is intentionally a public endpoint, but some replies are talking about how to fix it, so there seems to be mixed information floating around.
Can we get a canonical answer on the matter? Is the default configuration for wp-json okay or does it leave the site open to a CORS exploit?
Report details:
Vulnerability:- CORS Misconfiguration
Vulnerable url: - https://example.com/wp-json
Weakness:- Security Misconfiguration
Vulnerability Description
- A cross-origin resource-sharing misconfiguration occurs when the web server allows third-party domains to perform privileged tasks through the browsers of legitimate users.
IMPACT
- CORS misconfigurations can give attackers access to internal sites behind the firewall using cross-communication types of attacks
MITIGATION
- Proper configuration of cross-origin requests
- Only allow trusted sites
- Avoid whitelisting null
- Avoid wildcards in internal networks
Hi @sitebolts,
Welcome to Trac!
Yes, the REST API has an intentionally public CORS configuration. It uses the WordPress nonce system to prevent attacks.
You can read more here: https://developer.wordpress.org/rest-api/frequently-asked-questions/#why-is-the-rest-api-not-verifying-the-incoming-origin-header-does-this-expose-my-site-to-csrf-attacks