[wp-trac] [WordPress Trac] #64281: Usernames exposed in wp-sitemap-users.xml is a security risk
WordPress Trac
noreply at wordpress.org
Thu Nov 20 13:13:26 UTC 2025
#64281: Usernames exposed in wp-sitemap-users.xml is a security risk
--------------------------+----------------------
Reporter: azulstudio | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Sitemaps | Version:
Severity: normal | Resolution: invalid
Keywords: | Focuses:
--------------------------+----------------------
Changes (by swissspidy):
* status: new => closed
* resolution: => invalid
* severity: major => normal
* milestone: Awaiting Review =>
Comment:
Hi there and welcome to WordPress Trac!
The WordPress project doesn’t consider usernames or user ids to be private
or secure information. A username is part of your online identity. It is
meant to identify, not verify, who you are saying you are. Verification is
the job of the password.
This includes, for example, retrieving the list of site users through the
REST API Users endpoint, GET /wp-json/wp/v2/users. Making this publicly
accessible is intentional. The same goes for the XML sitemaps.
See https://make.wordpress.org/core/handbook/testing/reporting-security-
vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a
-security-issue for more information.
In the future, if you believe you have found a vulnerability in WordPress,
please keep it confidential and
[https://make.wordpress.org/core/handbook/testing/reporting-security-
vulnerabilities/ report it to the WordPress Security Team].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64281#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list