Make WordPress Core

#60022 closed defect (bug) (invalid)

Security tool reporting CORS vulnerability on wp-json

Reported by: sitebolts's profile sitebolts Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

Hi there, we had a client report that they ran a security tool and received a CORS vulnerability warning on their wp-json endpoint.

They've unfortunately forgotten what tool they ran, but a quick Google search shows that other people have received similar messages.

A few threads I've found say that it's no big deal since wp-json is intentionally a public endpoint, but some replies are talking about how to fix it, so there seems to be mixed information floating around.

Can we get a canonical answer on the matter? Is the default configuration for wp-json okay or does it leave the site open to a CORS exploit?


Report details:

Vulnerability:- CORS Misconfiguration

Vulnerable url: - https://example.com/wp-json

Weakness:- Security Misconfiguration

Vulnerability Description

  • A cross-origin resource-sharing misconfiguration occurs when the web server allows third-party domains to perform privileged tasks through the browsers of legitimate users.

IMPACT

  • CORS misconfigurations can give attackers access to internal sites behind the firewall using cross-communication types of attacks

MITIGATION

  • Proper configuration of cross-origin requests
  • Only allow trusted sites
  • Avoid whitelisting null
  • Avoid wildcards in internal networks

Change History (1)

#1 @TimothyBlynJacobs
10 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @sitebolts,

Welcome to Trac!

Yes, the REST API has an intentionally public CORS configuration. It uses the WordPress nonce system to prevent attacks.

You can read more here: https://developer.wordpress.org/rest-api/frequently-asked-questions/#why-is-the-rest-api-not-verifying-the-incoming-origin-header-does-this-expose-my-site-to-csrf-attacks

Note: See TracTickets for help on using tickets.