Exposure of Sensitive Information to an Unauthorized Actor

Summary

WordPress versions prior to 4.7.27, 4.8.x prior to 4.8.23, 4.9.x prior to 4.9.24, 5.0.x prior to 5.0.20, 5.1.x prior to 5.1.17, 5.2.x prior to 5.2.19, 5.3.x prior to 5.3.16, 5.4.x prior to 5.4.14, 5.5.x prior to 5.5.13, 5.6.x prior to 5.6.12, 5.7.x prior to 5.7.10, 5.8.x prior to 5.8.8, 5.9.x prior to 5.9.8, 6.0.x prior to 6.0.6, 6.1.x prior to 6.1.4, 6.2.x prior to 6.2.3, and 6.3.x prior to 6.3.2 does not properly restrict which user fields are searchable via the REST API, which leads to vulnerable to Sensitive Information Exposure.