Support » Plugin: GDPR Cookie Consent » Security issue: admin user name exposed

  • The plugin seems to store public post_type called cookielawinfo, which is assigned to the admin user (i.e. user who configures the plugin).

    However, since v4.4 WordPress as REST API enabled with /wp-json/wp/v2/users method returning a list of users who have any public posts on the website.

    It is a security issue to display admin login name (slug) via the API and should not normally happen, as with this information brute-force attackers have greater chances of success.

    Please fix this and help the world stay secure 🙂

    P.S.:
    On a positive side, a simple workaround would be to create another admin user (with an ID different from 1, which is default) and delete the initial admin user. This way the attacker cannot distinguish admin from non-admin users via the REST API 😉

  • The topic ‘Security issue: admin user name exposed’ is closed to new replies.