WordPress Releases Security Update for WP REST API Plugin

WordPress has released WP REST API plugin version 1.2.1, a critical security release which fixes a serious information disclosure vulnerability affecting all previous versions of the plugin. The vulnerability made it possible for the API to retrieve unpublished content and post revisions. Version 1.2 was released at the end of last month, and includes a number of bug fixes and improvement.


Image Credit: WordPress

WordPress has been working for some time now to move towards becoming a full-fledged application framework developing new REST APIs which can be implemented by installing the WP REST API plugin. The plugin also includes a JavaScript API that theme and plugin developers can use to quickly connect to the WordPress platform.

Due to the severity of the vulnerability, the WordPress security and plugin review teams are pushing security updates for the plugin to websites automatically. However, WordPress sites that have the WP REST API plugin installed should still make sure that the plugin is updated to the latest version. ProgrammableWeb reached out to Rachel Baker, WordPress REST API project co-lead and lead engineer at The Wirecutter, to find out more information about the version 1.2.1 critical security release.

“We are adhering to a policy of responsible disclosure and are not able to provide any additional details regarding the critical security patches released on Thursday,” said Baker. “Due to the distributed structure of the WP REST API, there are still many websites that are running unpatched versions of the API in production. We have to allow a reasonable amount of time for sites to patch, test, and deploy the security patch. The specific amount of time we are going to give sites to update the plugin is still TBD.”

To reiterate, all previous versions of the WP REST API plugin are affected by the information disclosure vulnerability and any WordPress website using this plugin should install the latest release immediately.

Be sure to read the next Security article: Daily API RoundUp: Qualys, Riskified, ESPN SDKs


Comments (0)