MRK Rest Permissions Plugin by MRK WP
This plugin is a simple adjustment to make your user end points require authentication (serve 401) for non-logged in users without the edit post capability.
This is a perceived vulernability in WordPress.
The attacker will generally grab a list of users from the WordPress API, and then attack the login with the list of users and try and brute force the password field.
This is because this end point is not authenticated by default.
Alot of audits and Essential 8 security teams will ask this to be closed.
It will be identified as a "medium" security risk.
Youtube video breakdown is here: https://youtu.be/ZtbxaWQLRI4
Read more about on the plugin here: https://www.mrkwp.com/wp/secure-user-rest-api/
The rest API for users will return a 401 response - Unauthorised.
No. The WordPress admin interface and block editor require the API to be readable or return a 401.
The user / author selection box inside the Block Editor will disappear when a 401 is returned.
If a 404 is returned it creates errors in the block editor.
See "User Information Disclosure via REST API CVE 2017-5487."
Reference URL for CVE: https://www.cvedetails.com/cve/CVE-2017-5487/
- Changed to use a permission callback model inside the rest endpoints.
- Now we have an update that does the permission properly with a 401 response.
- Remove some of the custom PHPCS sniffers that were used for PSR-4 autoloader.
- updated readme FAQ and description of post.
- Fix for "User Information Disclosure via REST API CVE 2017-5487".
- Removed PSR-4 SETUP
- Shifted the remove REST users function to the main plugin fuction
- Initial setup of plugin