JSON REST API: Version 1.1.1 (Security Release)

I’d like to announce the availability of version 1.1.1 of the JSON REST API. This is a security releaseRelease A release is the distribution of the final version of an application. A software release may be either public or private and generally constitutes the initial or new generation of a new or upgraded application. A release is preceded by the distribution of alpha and then beta versions of the software. for a minor security issuesecurity issue A security issue is a type of bug that can affect the security of WordPress installations. Specifically, it is a report of a bug that you have found in the WordPress core code, and that you have determined can be used to gain some level of access to a site running WordPress that you should not have., however we recommend all users running 1.1 upgrade as soon as possible.

This release only affects users running WP APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. on a domain with other (non-WordPress) software running. Using the JSONP support built-in to the API, it is possible to serve up arbitrary Flash SWF files from the API, allowing these Flash files to bypass browser cross-origin domain policies. While WordPress includes built-in CSRF protection, other software running on the same domain may not include similar protections.

As a workaround, JSONP support can be disabled on your site with:

add_filter( 'json_jsonp_enabled', '__return_false' );

Thanks to @iandunn for reporting this issue to the team responsibly.

We’d also like to announce that WP-API is now available on HackerOne. We invite security researchers and developers to report any potential security issues to us via HackerOne, allowing us to triagetriage The act of evaluating and sorting bug reports, in order to decide priority, severity, and other factors. and fix issues privately, and also award bounties for valid security reports.

#json-api, #rest-api