Description
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
Remediation
References
Related Vulnerabilities
WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more Cross-Site Request Forgery (1.18.0)
WordPress Plugin ND Shortcodes For Visual Composer Security Bypass (5.8)
MySQL CVE-2014-0420 Vulnerability (CVE-2014-0420)
ownCloud Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-3835)
WordPress Plugin MailPoet Newsletters (Previous) Cross-Site Scripting (2.6.11)