WP REST API Versions 2.0 Beta 12.1 and 2.0 Beta 13.1 are security releases to address a data privacy issue with the Users endpoint. Given certain parameters, private user data such as email addresses may be exposed to unauthenticated users.
This release was coordinated by the REST API team and the WordPress core security team. The security team is pushing automatic updates, but do not wait or rely on the automatic update process. We recommend sites or plugins that are using either 2.0 Beta 12 or 2.0 Beta 13 to update the plugin immediately. Download your respective version from WordPress.org or Github.
Thanks to James Kettle (PortSwigger Web Security) via HackerOne for reporting this issue to the team responsibly, and to David Remer (websupporter) for inadvertently fixing this issue on Github.
If you believe you have discovered a potential security vulnerability with the WP REST API, please disclose it to us privately by sending an email to firstname.lastname@example.org. Security issues can also be reported via HackerOne.