Security issue in WordPress REST API

The WordPress security team today announced known vulnerabilities in the WordPress REST plugins that expose user data to unauthenticated users.

With the announcement WP REST API: Versions 2.0 Beta 12.1 and 2.0 Beta 13.1 are revealed to contain security issues that with certain parameters, user data in the system such as email addresses can be exposed to unauthenticated users.

The WP REST API and WordPress team comments on the upgrade process:

The security team is pushing automatic updates, but do not wait or rely on the automatic update process. We recommend sites or plugins that are using either 2.0 Beta 12 or 2.0 Beta 13 to update the plugin immediately.

Given the popularity of WordPress this is a concern that should be taken seriously by all users of any software that is on the web as displayed in the Mossack Fonseca information leak caused by insecure Drupal and WordPress installations.

Read more: WP REST API: Versions 2.0 Beta 12.1 and 2.0 Beta 13.1