{"id":"CVE-2017-5487","details":"wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.","modified":"2026-04-10T04:01:40.720628Z","published":"2017-01-15T02:59:02.797Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/95391"},{"type":"WEB","url":"http://www.securitytracker.com/id/1037591"},{"type":"WEB","url":"https://wpvulndb.com/vulnerabilities/8715"},{"type":"WEB","url":"https://www.exploit-db.com/exploits/41497/"},{"type":"ADVISORY","url":"https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2017/01/14/6"},{"type":"ADVISORY","url":"https://codex.wordpress.org/Version_4.7.1"},{"type":"ADVISORY","url":"https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/"},{"type":"FIX","url":"https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"0"},{"last_affected":"14247ee4302378d292863865c643abe99bbfe3c7"},{"fixed":"daf358983cc1ce0c77bf6d2de2ebbb43df2add60"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.7"}]}}],"versions":["4.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5487.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}