Hello @angiepunkt,
Thank you for contacting the support.
Our plugin does not open up any vulnerable endpoints. It only exposes endpoints that were previously public (before the user blocked them via .htaccess), so making them public again probably does not pose any real danger.
We consider this to be a minor security issue (CVSS around 3.1), given the pre-requisites of:
A) The “Headless CMS Support” option must be enabled on the site, which is OFF by default for all users.
B) The other endpoints must be blocked via .htaccess, using very specific rules, also considering that the endpoint has sensitive data.
C) Blocking the endpoints via WP’s own system of filters and action hooks, which is the more standard way of doing it on a WP site, would prevent this issue. A different set of rules in the .htaccess file can also prevent this issue.
D) Attacker would have to know about the protected endpoint.
Having said that, we fixed the issue the next day with a hotfix, so we recommend updating to the latest version.
Hope that helps, and please do not hesitate to let us know if you need our assistance with anything else.
