WP API is responsible for WordPress site data from posts to users, including private data. While we've taken every effort to consider security and privacy concerns while building the API, all software has bugs. If you believe you've found a security issue in the API, we want to work with you to ensure the issue is fixed and distributed to users as quickly as possible.

Scope

The scope of this project is limited to the latest version of any of the following projects running on WordPress 3.9 or newer:

• High Priority

  • JSON REST API plugin __(WP API)
  • OAuth 1.0a server plugin __

  • Medium Priority

  • Javascript client __

  • WP-CLI client __
  • PHP client library __

  • Low Priority

  • API console __

  • Basic authentication __
  • WP-API.org __

You should install a copy of the project and WordPress on your own server. Do not test on servers you do not own.

While we take compatibility with other plugins seriously, it is at our discretion as to whether we accept issues caused by interactions with other plugins. If we decide to accept these issues, we will also attempt to work with the other plugin developers to resolve the issue.

Severe issues include (but are not limited to) remote code execution exploits, SQL injection, and privilege escalation. Severity will be assessed at the team's discretion.

Response

We will attempt to respond to reports within a week at latest, typically within 48 hours. (Keep in mind that we are distributed across timezones, and this may cause a delay if we need to discuss internally.) Severe issues will be handled as soon as possible, while all other issues will be handled as part of our normal bug triaging process.