Vulnerability Exposed | REST API

  • Resolved jetxpert

    (@jetxpert)


    3 years, 5 months ago

    Your plugin does not offer the option to disable REST API.

    Without the above feature, websites can be compromised by hackers using information obtained from the following URLs (sample only):

    mydomain.com/wp-json/wp/v2/users
mydomain.com/wp-json/wp/v2/posts
mydomain.com/?author=N (where N = any number starting with 1)

    Please refer to this article for information concerning this vulnerability.

    On the bright side, using your plugin’s activity log feature, we were able to identify malicious IPs searching for information using the above URLs. They were successful at first (HTTP Status Code 200), but are now blocked (HTTP Status Code 401).

    Until your plugin is updated, we have disabled REST API in the frontend using another plugin.

    Hoping you guys will add REST API protection to your plugin very soon.

    Thank you!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Hristo Pandjarov

    (@hristo-sg)

    SiteGround Representative

    Thanks for the recommendation, we will consider it for future releases.

    Thread Starter jetxpert

    (@jetxpert)

    @hristo-sg,

    Above is important. Why only a consideration?

    We applied the above URLs to you website. This is what we got.

    What is SiteGround using to obfuscate its website? For those that pay “big bucks” to SiteGround for hosting services, why don’t our websites have the same level of built-in protection?

    From our point of view, with all due respect, this topic is not solved until your plugin provides the needed protection.

    Thank you.

    SiteGround.com is not a WordPress site. Thats why you get a 404.

    Plugin Author Hristo Pandjarov

    (@hristo-sg)

    SiteGround Representative

    As @boluda said, SiteGround.com is not a WordPress site ??

    We have a development process. All feedback is considered, all new features are tasked and prioritized based on the needs of all users and the time it would consume to make it happen. So “consideration” is actually what every new feature goes through. When and if it will become a reality I can’t say at this moment ??

    Thread Starter jetxpert

    (@jetxpert)

    @hristo-sg,

    Thank you. We get it. It’s all about semantics.

    We’re certain SG has many requests that need to be reviewed for consideration and approval before they’re implemented. Hopefully, SG will place our request at the top of list (affects all users of SG Security).

    Cheers!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Vulnerability Exposed | REST API’ is closed to new replies.