Opened 2 months ago
Closed 2 months ago
#61143 closed defect (bug) (duplicate)
Our rest api User listing has chances to reveal username of Administrator User "wp-json/wp/v2/users"
| Reported by: |
hlakkad1998
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.7 |
| Component: | REST API | Keywords: | |
| Focuses: | Cc: |
Description
Whenever we create a setup in WordPress at that time We have to add a user name. So after the setup, we can log in to the admin panel with that new user. I know that in the API it shows the display name field. But in 90% of the cases, it takes the username as the display name. Admin users do not change this even after creating a new user. So when I hit "http://localhost/wordpress/security-check/wp-json/wp/v2/users" in my local setup, it shows me the admin user name (The display name is the same as the user name). When I did the setup of WordPress I created a user with "security-check-admin" this name and the same name I can see in the users API. I think this is a bad idea. I prefer that this API should not give any information about the administrator role. Even if you give the access user names should not be revealed like this. I am attaching some photos so you guys can check. I have tested this 6.5.2 version. Please look into this.
Attachments (1)
Change History (2)
#1
@
2 months ago
- Focuses rest-api privacy removed
- Keywords needs-privacy-review needs-patch removed
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Severity changed from critical to normal
- Status changed from new to closed
- Version changed from 6.5 to 4.7
Duplicate of #52169.
Hi there and welcome to WordPress Trac!
As per our security FAQ, disclosure of usernames is not considered to be a security issue.
This file shows that in this "wp-json/wp/v2/users" contains the admin user name.