WP API: Missing access control exposing detailed information on all users

The WP REST API WordPress plugin fails to apply access controls for the 'edit' context. This means that with a single HTTP request, an attacker can obtain the following information for every single registered user: username, email address, first name, last name, date of registration, and detailed...

WP API: MD5 used for Key-Auth signatures

https://github.com/WP-API/Key-Auth/blob/f9b74b3e4df667cfb44baba556eafde65fa3aec9/key-auth.phpL65 MD5 is vulnerable to length-extension attacks. Maybe consider changing this to hashhmac'sha256', jsonencode$args, $secret?...

WP API: Cryptographic Side Channel in OAuth Library

Because hashes and tokens are compared with the !== and === operators, these checks may be susceptible to timing attacks. More info: http://codahale.com/a-lesson-in-timing-attacks/ Affected code:...