CVE-2020-35934

Name of the Vulnerable Software and Affected Versions: Advanced Access Manager plugin versions prior to 6.6.2

Description: The issue arises when the Advanced Access Manager plugin for WordPress displays the unfiltered user object, including all metadata, upon login via the REST API at endpoints "aam/v1/authenticate" or "aam/v2/authenticate". This poses a security problem if the user object stores information that the user is not supposed to have, such as custom metadata added by a different plugin.

Recommendations: For versions prior to 6.6.2, update to version 6.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API endpoints "aam/v1/authenticate" and "aam/v2/authenticate" to minimize the risk of exploitation.