/wp-json/wp/v2/users exposes the following data:
id: 1,
name: “Firstname Lastname”,
url: “”,
description: “”,
link: “http://example.com/author/author-page/”,
avatar_urls: {},
slug: “author-slug”,
_links: {}
Precise usernames are pretty easy to guess based on this information.
I agree with Fred.
This should not be left open by default. Also, the argument does not hold true when you’re using custombuilt themes that don’t display any author/user information in the first place.
It’s not a blatant security risks, but it is kind of a weird move to publicize all your admin-accounts like that. By DEFAULT.
Chiming in….
So far, CF7 (including Mail) is working fine with WP 4.4.2 and PHP 7.0.2.
