First and foremost: version 1.2.3 of the REST API is now available. Download it from the plugin repository or from GitHub. This is a security release affecting sites running version 1.2 or a 2.0 beta releases.
Recently, we were alerted to a potential XSS vulnerability introduced in version 1.2 of the API related to the JSONP support. This vulnerability also existed in version 2.0. Thanks to Alex Concha (@xknown) for reporting this issue to the team responsibly.
This release was coordinated by the REST API team and the WordPress core security team. The security team is pushing automatic updates for version 1.2.3, but do not wait or rely on the automatic update process. We recommend sites or plugins that are using either v1.2.x or 2.0 beta releases update the plugin immediately.
If you’d prefer not to upgrade, you can instead disable JSONP support through a filter. For version 1:
add_filter( 'json_jsonp_enabled', '__return_false' );
To disable JSONP on version 2:
add_filter( 'rest_jsonp_enabled', '__return_false' );
Version 2.0 Beta 4
This beta release includes the security fix from version 1.2.3, so we recommend everyone running a version 2 beta update immediately to fix the issue.
As well as the security release, this beta also includes a bunch of other changes. Here’s some highlights:
- Show public user information through the user controller.
In WordPress as of r32683 (scheduled for 4.3),
WP_User_Querynow has support for getting users with published posts. To match current behaviour in WordPress themes and feeds, we now expose this public user information. This includes the avatar, description, user ID, custom URL, display name, and URL, for users who have published at least one post on the site. This information is available to all clients; other fields and data for all users are still only available when authenticated.
- Send schema in OPTIONS requests and index.
Rather than using separate
/schemaendpoints, the schema for items is now available through an OPTIONS request to the route. This means that full documentation is now available for endpoints through an OPTIONS request; this includes available methods, what data you can pass to the endpoint, and the data you’ll get back.
⚠️ This breaks backwards compatibility for clients relying on schemas being at their own routes. These clients should instead send OPTIONS requests.
- Embed links inside items in a collection.
Previously when fetching a collection of items, you only received the items themselves. No longer! You can now request a collection with embeds enabled (try
WP_Queryvars back to
In version 1, we had internal
WP_Queryvars available via
filter[s]=search+term). For our first betas of version 2, we tried something different and exposed these directly on the endpoint. The experiment has now concluded; we didn’t like this that much, so
⚠️ This breaks backwards compatibility for users using WP Query vars. Simply change your
⚠️ This breaks backwards compatibility by changing the
(Note that while this version 2 beta breaks backwards compatibility, the 1.2.3 security release does not break compatibility with the 1.2 branch.)
This release had 11 contributors, and we’d like to thank each and every one of them:
$ git shortlog 2.0-beta3...2.0-beta4 --summary 1 Daniel Bachhuber 11 Daniel Jalkut 1 Fredrik Forsmo 1 Jared Cobb 3 Jay Dolan 26 Joe Hoyle 10 Josh Pollock 25 Rachel Baker 50 Ryan McCue 24 Stephen Edgar 8 Taylor Lovett
Thank you again to all of our beta testers, and thanks to everyone who let us know how you’re using the API. We’re taking note of all of your feedback, and you might see some further changes related to that in coming releases.