[wp-trac] [WordPress Trac] #53784: Limiting user enumeration through the REST API
WordPress Trac
noreply at wordpress.org
Mon Jul 26 12:08:33 UTC 2021
#53784: Limiting user enumeration through the REST API
--------------------------+----------------------------
Reporter: ehtis | Owner: dd32
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Future Release
Component: Users | Version:
Severity: normal | Keywords: needs-patch
Focuses: rest-api |
--------------------------+----------------------------
Via endpoints like `/wp/v2/comments?search=$term`, it's currently possible
to perform email discovery through brute force. In this case, emails of
commenters.
Not exactly the same, but previous discussion (for login forms) is at:
https://core.trac.wordpress.org/ticket/9568#comment:82
After an H1 report and some discussion within the
[https://wordpress.slack.com/archives/G02QQEF9J/p1615160652036100?thread_ts=1614980894.034400&cid=G02QQEF9J
security team], it was decided we should probably "fix" this and have more
public discussion.
Authorized users should be able to search comment data that's non-public.
[https://hackerone.com/reports/1117674 Report] by `dawidpieper`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53784>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list