PT-2017-16528 · WordPress · Wordpress
Mark Maunder
·
Published
2017-01-15
·
Updated
2017-09-01
·
CVE-2017-5487
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WordPress versions 4.7 through 4.7.0
Description
The issue allows remote attackers to obtain sensitive information. This is due to the REST API implementation not properly restricting listings of post authors. Attackers can exploit this via a "wp-json/wp/v2/users" request.
Recommendations
For WordPress versions 4.7 through 4.7.0, update to version 4.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the "wp-json/wp/v2/users" endpoint until the update is applied.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wordpress