Good Breakdown of Recent WordPress Vulnerability
The Sucuri Blog has a good dissection of the recent critical WordPress REST API vulnerability. I won’t rehash the details here, but I did want to point out that this is why developers should remember to follow these two rules of defensive programming:
- Sanitize inputs as early as possible
- Sanitize outputs as late as possible
In this case, there was a failure to follow the first rule. There are a couple of different places where this could have been handled better.