WordPress has released WP REST API plugin version 1.2.1, a critical security release which fixes a serious information disclosure vulnerability affecting all previous versions of the plugin. The vulnerability made it possible for the API to retrieve unpublished content and post revisions. Version 1.2 was released at the end of last month, and includes a number of bug fixes and improvement.
Due to the severity of the vulnerability, the WordPress security and plugin review teams are pushing security updates for the plugin to websites automatically. However, WordPress sites that have the WP REST API plugin installed should still make sure that the plugin is updated to the latest version. ProgrammableWeb reached out to Rachel Baker, WordPress REST API project co-lead and lead engineer at The Wirecutter, to find out more information about the version 1.2.1 critical security release.
“We are adhering to a policy of responsible disclosure and are not able to provide any additional details regarding the critical security patches released on Thursday,” said Baker. “Due to the distributed structure of the WP REST API, there are still many websites that are running unpatched versions of the API in production. We have to allow a reasonable amount of time for sites to patch, test, and deploy the security patch. The specific amount of time we are going to give sites to update the plugin is still TBD.”
To reiterate, all previous versions of the WP REST API plugin are affected by the information disclosure vulnerability and any WordPress website using this plugin should install the latest release immediately.