User Information Disclosure via the REST API - /?_method=GET
State Resolved (Closed)
Disclosed publicly 2018-09-10T01:22:37.461Z
Reported To
Weakness Information Disclosure
Bounty $50

Summary by lovepakistan


The reporter found that user information leaked from


The issue was resolved during normal and scheduled hardening of Wordpress.


The issue was valid and the reporter provided enough proof. This is typical Wordpress, what we know as a "feature", that every WP administrator should be aware of.

We've had several reports on related issues, but as all were carried out differently we decided to award each separately.

submitted a report to LocalTapiola .

Basic report information

browser access to is restricted for general public but it is still be accessible through which User information is leaked.

By default Wordpress allow public access to Rest API to get information about all users registered on the system but you have restricted it internally. I saw several reports on this issue reported on Now as a fix to those reports, requests to /wp-json/wp/v2/users are blocked and return an error like this:

Refer to

It also successfully blocks requests such as /?rest_route=/wp/v2/users.

Refer to lahitapiolarahoitus.fi1.JPG

However, the REST API allows simulating different request types. As such, we can perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.

Steps To Reproduce:

curl -d rest_route=/wp/v2/users

Browsers / Apps Verified In:

  • It is tested via curl command.

Additional material

Refer to finalPOC.JPG


It allows anonymous access to functionality that allows a hacker to list all users who have published a post on a WordPress site.


localtapiola-thomas Activities::Comment
Thanks a lot for reporting this potential issue back to us. LocalTapiola takes security very seriously and would appreciate if you would not share any information about this report until we have determined whether this is a bug and what any potential impact (or fix) will be. Our security team will take a look at this issue as soon as possible. We aim to respond to your report as soon as possible, but due to the complexity of the systems, triaging many times can take a long time. We prioritize issues - reports containing trivial issues with limited (or no) business impact and badly written reports with insufficient information on how to reproduce the issue receive a lower priority. Please do not request updates for at least 20 days into the process. Once triaged and verified, bounty decisions are made 1-2 times per month. *Note: if we frequently dismiss your reports, make sure you have read our policy and stay in scope and that you know how to write good reports - and Also, our policy contains a lot of information on what is relevant and what is not.*

lovepakistan Activities::Comment
Any updates?

localtapiola-thomas Activities::BugTriaged
This works, we have tested it. A fix will be rolled out, the schedule is not known for now.

localtapiola-thomas Activities::ReportTitleUpdated

Awarding bounty equal to similar reports.

localtapiola-thomas Activities::Comment
You could retest this, we are of course also interested in knowing if you can somehow circumvent our mitigation.

lovepakistan Activities::Comment
Have not found any way to still do this. It is fixed. Thanks !

lovepakistan Activities::Comment
It is fixed, please change the status of the report.

localtapiola-thomas Activities::BugResolved
Closing as resolved.

localtapiola-thomas Activities::AgreedOnGoingPublic
No secrets, full disclosure.

lovepakistan Activities::AgreedOnGoingPublic

lovepakistan Activities::ReportBecamePublic