Make WordPress Core

Opened 7 weeks ago

Closed 7 weeks ago

#61143 closed defect (bug) (duplicate)

Our rest api User listing has chances to reveal username of Administrator User "wp-json/wp/v2/users"

Reported by: hlakkad1998's profile hlakkad1998 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7
Component: REST API Keywords:
Focuses: Cc:


Whenever we create a setup in WordPress at that time We have to add a user name. So after the setup, we can log in to the admin panel with that new user. I know that in the API it shows the display name field. But in 90% of the cases, it takes the username as the display name. Admin users do not change this even after creating a new user. So when I hit "http://localhost/wordpress/security-check/wp-json/wp/v2/users" in my local setup, it shows me the admin user name (The display name is the same as the user name). When I did the setup of WordPress I created a user with "security-check-admin" this name and the same name I can see in the users API. I think this is a bad idea. I prefer that this API should not give any information about the administrator role. Even if you give the access user names should not be revealed like this. I am attaching some photos so you guys can check. I have tested this 6.5.2 version. Please look into this.

Attachments (1)

rest-api-security-check.jpg (60.7 KB) - added by hlakkad1998 7 weeks ago.
This file shows that in this "wp-json/wp/v2/users" contains the admin user name.

Download all attachments as: .zip

Change History (2)

7 weeks ago

This file shows that in this "wp-json/wp/v2/users" contains the admin user name.

#1 @swissspidy
7 weeks ago

  • Focuses rest-api privacy removed
  • Keywords needs-privacy-review needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Severity changed from critical to normal
  • Status changed from new to closed
  • Version changed from 6.5 to 4.7

Duplicate of #52169.

Hi there and welcome to WordPress Trac!

As per our security FAQ, disclosure of usernames is not considered to be a security issue.

Note: See TracTickets for help on using tickets.