I’d like to announce the availability of version 1.1.1 of the JSON REST API. This is a security release for a minor security issue, however we recommend all users running 1.1 upgrade as soon as possible.
This release only affects users running WP API on a domain with other (non-WordPress) software running. Using the JSONP support built-in to the API, it is possible to serve up arbitrary Flash SWF files from the API, allowing these Flash files to bypass browser cross-origin domain policies. While WordPress includes built-in CSRF protection, other software running on the same domain may not include similar protections.
As a workaround, JSONP support can be disabled on your site with:
add_filter( 'json_jsonp_enabled', '__return_false' );
Thanks to @iandunn for reporting this issue to the team responsibly.
We’d also like to announce that WP-API is now available on HackerOne. We invite security researchers and developers to report any potential security issues to us via HackerOne, allowing us to triage and fix issues privately, and also award bounties for valid security reports.