Critical Security Update For the WP REST API Plugin

WP Rest API Featured ImageThe WP REST API development team has released a critical security update. Rachel Baker, one of the lead developers of the WP REST API plugin says, “The release fixes a serious information disclosure vulnerability, which allowed for unpublished content and post revisions to be retrieved via the REST API.” The security vulnerability affects versions 1.2.0 and earlier.

The security update was coordinated by the REST API and the WordPress core security team. The WordPress core security team is pushing out automatic updates for each branch. There are packages for 1.2.1, 1.1.3, 1.0.2, 0.9.2, and 0.8.2.

If you’re using WP REST API version 1.2.0 or earlier, don’t wait for the auto update. Instead, manually update as soon as possible. You can update by browsing to Dashboard – Updates in the WordPress backend, download it from the plugin directory (zip), or pull it from GitHub.

In addition to the WP REST API plugin, Custom Contact Forms and Reactor: Core, have pushed out security updates related to the WP REST API vulnerability. If you use any of the plugins mentioned above, please update as soon as possible.

14 Comments


  1. WooCommerce uses the REST API, does it not? Do you know if they’ll be pushing an update as well?

    Report


    1. To this point, I’ve seen nothing to indicate they have or will. I’ll get in touch with them just to make sure.

      Report


    2. The WooCommerce API is a customized fork of the WP REST API. I do not see the issue present in their API code, but I will leave it to a WooCommerce employee to confirm.

      Report


    3. WooCommerce REST API uses read_private_posts capability (editors+ with this capability can view all revisions) so is not affected.

      Since WC doesn’t actually use revisions for products or orders, we’re going to add a small patch to deny revision access anyway. That will also prevent access if someone giving read_private_posts access to other user roles. See https://github.com/woothemes/woocommerce/pull/7931

      Report


  2. VaultPress customers should have received an automated update about an hour ago.

    Report


  3. Never used it. I wont use any commerce type plugin for a CMS short of a bridge to a tried and tested commerce application. This is just a no brainer. A site is dealing with information related to others finances. Want end up buried or perhaps even behind bars when an entity such as Chase files suit or American Express on behalf of they and their customers?

    Its just a plain no brainer. Just because a plugin or component or widget add’s some really cool capabilities to a general purpose content management system does not mean that it should be used towards that purpose.

    Before we dumped most Joomla work we’d been asked many times to add commerce into sites developed for others. We wont do it. They want do it. Go ahead. The liability is just WAY to dangerous at least here in the USA. Of course, it does depend on WHAT is exposed. But even at that litigating as a small business against these sized entities is brutal. I went rounds with Amex once (this when I’d worked with Haggle Online) and I pray it never happens again. They are absolutely METICULOUS at hammering away (their legal beagles) and will hit from any and/or all angles they can hammer from. For example, “Are you a programmer?” Yes. “Then is it not your job when protecting our clients information to ensure the security of their information”. Yes. “Did you do that?”. “We used a third party plugin for the commerce”. “And where is that third parties representation in this proceeding?” “They have a disclaimer of usage in respect to any damages caused or losses due to their plugin”. “And you were aware of this?” Yes. “So this firm will not ensure usage of their plugin in any respect from function to security but you felt it safe to use? Why?”

    Or from the other end, “Are you a programmer”. “No sir, I am a site developer.” “What is the differentiation”. “I create artwork and setup websites for clients using pre-existing software”. “Are you an Internet security expert?” “No” “Yet you feel you are qualified to create public facing commerce sites for clients who are trusting that your work keeps their business and customers information secure?” “Ummm…. Well they signed off on our disclaimer of liability”. “Your disclaimer does not void you of responsibility to us, a banking institution or our customers. We signed no such agreements. Your disclaimer is between you and your client. Not the forward facing public that had no indication that this website was constructed by someone who has no knowledge of Internet Security nor even how the software itself operates internally. Already in admittance to this court that you are in fact not qualified in any way shape or form to ensure the security of the forward facing public or banks involved in their finances”.

    This is just a NO BRAINER. Dont do it.

    If you MUST setup eCommerce for a client use something that is WHAT IT DOES. Prestashop, Magento etc. If you need bridge them, bridge them and make sure in writing by an IT counselor that your disclaimers are sound as eCommerce is DIFFERENT than “Heres a blog”.

    Report


    1. Sorry dude, but you are clearly missing the mark here. I can’t even explain how many false assumptions you make in this comment. But if you are happy to continue working with ‘real’ eCommerce software and not use anything like WooCommerce, that’s fine. The fact alone that the WooCommerce plugin is now used on more websites on the entire internet than Magento says enough. People trust software like WooCommerce and for good reasons.

      Report


  4. It is a little funny that Ryan the otherday defended against a criticism regarding security (lots of tests lots of eyes) and then we have critical security update four days later.

    Report


  5. As I said, I’ve never used it. Is it approved by places such as First Data corp and Card Service International, AuthorizeNet?

    That doesnt mean the “works with” sits there. There will be an Approved By statement in the license agreement. That means that it passes their auditing. If it doesnt, then I’d simply not use it.

    It makes no difference how many web sites use it. Or you can even call a sized merchant account provider and see if its a registered application or not. How many websites use this or that and all is fine until its not and they are hacked. Its one thing to have a blog or video or whatall site and have information compromised. Its a VERY different thing in eCommerce as that is VERY subject to damages.

    Dont believe it? Ask any IT attorney.

    Dont want believe him or her? Call First Data or CardService (authorize.net). Dont want believe them? Call any hosting provider not trying to sell you services that is selling more dedicated services (such as Rackspace) and see if you can speak to their IT eCommerce specialist(s) in respect to Woo or others. Woo may be completely solid. I dont know, I never even looked at it.

    VirtueMart on Joomla was said to be solid as well. Thats not necessarily where problems reside. Woo could be the best commerce gizmo since Apple’s and Honey were slapped together.

    The point is not necessarily ITS security. With a CMS system one may be using Plugin “A” which has a security issue that allows for a hacker to get access and thus EXPOSE data. There are all sorts of data that if its compromised people dont tend care, they dont like it such as someone farming 100,000 email addresses and spam rolls in. But when it comes to data that conforms to what amounts to identity theft capability that gets nasty. Fast. Expensive. Fast. Can result in incarceration. Can result in instant injunctions here in the USA from a State Attorney General (essentially that means, your out of business until a court says otherwise, cant update existing anything… nothing, confiscation of anything related to the business, restraints placed on any accounts associated on and on). I cant speak to other nations in these regards.

    I dont know what data Woo deals with. Does it hold encrypted card information? Does it hold PayPal login information? I presume it properly handles SSL.

    There are plenty of examples all over the Internet news about lawsuits resulting from malicious data access, One of the most recent Anthem with medical records in which the State Of California (and others last I knew) filed suit.

    JP Morgan Chase, First Data, Nieman Marcus and buckets of others in class actions, state actions and/or both. So let me understand this. Because a site/business is using Woo Commerce which by nature due to it being a CMS plugin may get database data compromised indirectly via some other plugin how does that escape liability of said activity?

    “Mr. Judge, The site was compromised as hackers accessed and farmed data from the ecommerce plugin due to a security hole in the cache mechanism. So I have no liability”.

    Again… The CMS systems are just as we are seeing with WordPress more vulnerable to hacking because of its extensibility via plugins and.or widgets.

    To the 15,000 consumers who got their identity stolen because of a cache, commerce plugin or because the webmaster just copied and pasted it into some forum could care less how or why and the judge could care less how or why. He assigns liability and whether its a class action, a state action a prosecutor is there and and ignorance of security issues whether they be in the commerce app or cache app or elsewhere are completely immaterial to the matter. The matter is liability and assignment thereof.

    Just as JP Morgan Chase, Target Merchandise, and countless really large corporations have found in settlement. Woo can be as solid or even more so than Magento or Amazon.com Doesnt matter.

    When dealing with commerce where-ever the security breach occurred does not void liability.

    If you are designing websites for other clients (or self for that matter) security of information is part of the deal. In Commerce, its more important. Malicious code can do anything from compromise a database to injecting code that sends back every single credit card entered to some annonymous proxy and off it goes into never never land until your wife finds out that the necklace she ordered At Noodles Necklaces resulted in the next 10 years of her life becoming a nightmare.

    These are EXACTLY some of the stakes that our next presidential administration will begin to deal with as well as illegit import/export and what are called “Warrants of Merchantability” which for example every Goodwill store deals with but at eBay its “forgotten”.

    You can buy Baseball cards at eBay for your son. He’s happy as a clam. Next thing you know he is diagnosed with Hepatitis for the rest of his days.

    Towards that end its why eBay’s OmniChannel exists. Thats the “future of eBay”. I know it for fact, Karin Stahl and I go WAAAAAAYYYYY back. While she now is not in the management roles she used to stress out about at one point she was essentially #3 in the company.

    When making websites for clients its simple. THINK ABOUT THE CLIENT NOT THE CLIENTS WALLET. Put YOURSELF in their shoes.

    If “Suzies Socks” was MY business what would *I* do to ensure *MY* website for ecommerce (or anything else perhaps) is as SECURE as I can make it. Would I use a platform that can have induced security holes due to third party plugins? Do I ONLY put Woo commerce in and nothing else that many compromise security? Do I go with a known approved secure eCommerce package that has been signed off upon by Authorize.NET, First Data, Chase merchant services?

    The CLIENT will APPRECIATE that you have THEIR best interests at heart.

    Wouldnt you?

    Report


    1. I dont know what data Woo deals with. Does it hold encrypted card information? Does it hold PayPal login information? I presume it properly handles SSL.

      No, it doesn’t store any of that. That’s why I’m not even going to comment on all this. You go on a rampage with your comments here throwing stuff at WooCommerce (or other platforms) that has absolutely zero to do with those platforms. WooCommerce for example works fine with all payment gateways you mention, they all provide payment APIs or external payment gateways where you can get the payments processed without ever storing sensitive data on your own server.

      Besides, I don’t know why you went on a rampage here about WooCommerce, as this article doesn’t have anything to do with WooCommerce. Go read at how WooCommerce really works before you start posting these weird comments here that are a) not well informed and b) completely offtopic.

      Report


      1. I enjoy Rick’s rants. And he makes some valid points. Does WC encrypt email and address details? What about past and present orders? Nope. If your database is compromised, hello lawsuit. (That said, neither does Prestashop et el).

        I’ve been testing gravity forms and advanced custom fields to build a health survey. Enquire about encryption and suddenly two of the most popular plugins for storing data are just about useless out of the box for anything remotely sensitive. I’m a webmaster (as Rick would call me), so I look for ‘off the shelf’ solutions. For WP, they don’t exist.

        I’m about to launch a website that deals with a medical condition. I want to collect email addresses for newsletters. I want to offer symptoms checkers. I want to sell eBooks. Even my basic knowledge of (UK) law makes me scared of using WP and the popular plugins recommended for such tasks.

        Off topic? Yes. Relevant to the article? Well, I enjoyed his rant. WP is so easy for blagards like me to use that it gives you a false sense of security. It powers all of the interwebs so it must be safe! Until you want to store sensitive information and use kool plugins like the rest api.

        Report


    2. Excuse me sir.. but.. Are you high?

      Report


  6. Obviously you failed read a post stating, “Doesnt woo use the Rest API”

    It does not matter the commerce package. Without a dissertation on PCI compliance and approval which I was attempting to avoid.

    I looked at Woo’s explanation of PCI compliance and what they say is right. But they left some things out. PCI compliance means the database server is behind the applications server. PCI compliance means FTP is not accessible at all. It stores 4 digits of data in the WP database. It should be storing none in the front end WP DB.

    The explanation of security and PCI compliance is about the smallest I think I have ever saw.

    I just did a search through First Data’s PDF and in search results found this as well:

    http://cart66.com/blog/woocommerce-vs-cart66/

    Never heard of the place. But from a brief browse its an interesting read.

    Here is a link to PCI Compliance documents: https://www.pcisecuritystandards.org/security_standards/documents.php

    There is also a list of verified PCI compliant apps.

    Again, I’ve never used it, never looked at its code. Apparently they just had a security matter few weeks back but I didnt read the article.

    We’ve always put all information on a DB server behind a firewall when it comes to commerce, just a no brainer and thats dedicated hosting. We wont use a shared host and set up a client with eCommerce on it. I dont know how many eCommerce sites we’ve done, perhaps 80 – 100 since 2000.

    Your description of “rampage” is rather ridiculous. I point out the obvious. WordPress is insecure by nature of plugins. When it comes to eCommerce liability is an issue. If an application takes any card data through the application direct it is vulnerable. In other words if My Commerce application takes card data on its front end (.vs. a backend server) it is vulnerable. Its not specific to Woo or any other. Ecommerce in shared server environments can be vulnerable through the provider security. Many use a shared certificate, this is a way “around” compliance.

    Contrary to apparently your beliefs, Woo or this CMS Commerce App or that one are not the best choices on the planet, not due to them, due to the nature of open CMS code.

    People are entering private data into a website. Where security holes exist in WordPress are areas where a hacker can leverage many things. Even have a consumer think they are on the secure platform yet the form they and entering data into is not.

    Again, dont believe it? Call the folks who set the standards in PCI compliance. Go right to the source.

    Just because there are millions of installs doesnt mean tomorrow it doesnt hit the fan per se.

    First Data a leading provider in back end card processing services has been hit BIG twice as an example.

    How is it ANY WAY responsible to set up eCommerce atop a platform (wordpress) that is well known as sorta a poster boy for security matters?

    Especially when solutions do exist that are focused completely on the task at hand, commerce. Its all they do.

    Report


    1. This still has nothing to with the post itself =). Go and complain to WooThemes instead if you have problems. Its getting a little ridicuolus.

      Report

Comments are closed.