Description
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
Remediation
References
Related Vulnerabilities
WordPress Plugin Timetable and Event Schedule by MotoPress Cross-Site Scripting (2.3.18)
Oracle Database Server CVE-2010-3600 Vulnerability (CVE-2010-3600)
WordPress Plugin The Plus Addons for Elementor Security Bypass (4.1.10)
Jetty Improper Neutralization of Quoting Syntax Vulnerability (CVE-2023-36479)