For the first REST API release of 2016, we bring you: 2.0 Beta 10 “Chief Wiggum”. Because we’ve got security releases too, Ralphie.
On Friday, we discovered that attachments uploaded to private posts are publicly queryable through the REST API. This is a form of information disclosure because WordPress’ permissions model is such that attachments uploaded to posts should inherit the visibility of their parent post.
All previous versions of the plugin are affected. All WP REST API users are strongly encouraged to update immediately. Many prior releases has been separately patched. If you’re still using WP-API v1.x, you can update to v1.2.5. If you’re on an older 2.0 Beta for whatever reason, we’ve tagged versions 2.0 Beta 3.1, 4.1, 5.1, 6.1, 7.1, 8.1, and 9.1.
If you believe you have discovered a potential security vulnerability with the WP REST API, please disclose it to us privately by sending an email to email@example.com. Security issues can also be reported via HackerOne.
Version 2.0 Beta 10
Here are some of the highlights of Beta 10:
- Removes compatibility repo for WordPress 4.3. WordPress 4.4 is now the minimum supported version.
- Changes link relation for types and taxonomies. In Beta 9, this link relation was introduced as
item, which isn’t correct. The relation has been changed to
edit context for
wp/v2/taxonomies. Some fields have moved into this context, which require
post_format as a term
_link for Posts. Post formats aren’t a custom taxonomy in the eyes of the REST API.
Consistently query for a specified set of items. Adds
include param to
Tons of minor improvements and bug fixes. You should read the full changelog for all of them.
As always, we have a detailed changelog as well as the full set of changes if you’re interested.