The JSON REST API plugin for WordPress released a security update over the weekend. Version 1.1.1 includes a fix for a vulnerability wherein the JSONP support built-in to the API could be used to serve up arbitrary Flash SWF files. This technique has been known to be used in the past to abuse JSON endpoints to allow Flash files to bypass browser cross-origin domain policies.
WordPress core already has CSRF protection, but the WP REST API is oftentimes used in combination with other software which may not have the same protections. You can use a filter to disable JSONP support:
[php light=”true”]add_filter( ‘json_jsonp_enabled’, ‘__return_false’ );[/php]
WP API project lead Ryan McCue credits Ian Dunn in the release announcement for responsibly disclosing the vulnerability to the team.
The WP REST API project is now available on HackerOne, with a bounty for hackers who discover remote code execution exploits, SQL injection, privilege escalation, and other security issues. The WP-API plugin is listed as a high priority along with the OAuth 1.0a server plugin, which provides authentication for the API.
The vulnerability fixed in version 1.1.1 of the plugin was classified as a minor security issue, according to McCue, and no sites have reported any exploits. He recommends that anyone still using version 1.1 of the plugin to update as soon as possible.