WP REST API plugin version 1.2.1 is now available as a critical security release. This release fixes a serious information disclosure vulnerability, which allowed for unpublished content and post revisions to be retrieved via the REST API.
All previous versions of the plugin are affected. All WP REST API users are strongly encouraged to update immediately. Update with one click from Dashboard → Updates, get it from the plugin directory (zip), or pull it from GitHub.
This release was coordinated by the REST API team and the WordPress core security team. The security team is pushing automatic updates for this plugin. Each branch was separately patched; there are packages for 1.2.1, 1.1.3, 1.0.2, 0.9.2, and 0.8.2.
If you believe you have discovered a potential security vulnerability with the WP REST API, please disclose it to us privately by sending an email to firstname.lastname@example.org. Security issues can also be reported via HackerOne.
If you have a question about the release, you can find the team in #core-restapi on WordPress.org Slack, or you can privately message @rachelbaker, @danielbachhuber, or @joehoyle.