The WP REST API development team has released a critical security update. Rachel Baker, one of the lead developers of the WP REST API plugin says, “The release fixes a serious information disclosure vulnerability, which allowed for unpublished content and post revisions to be retrieved via the REST API.” The security vulnerability affects versions 1.2.0 and earlier.
The security update was coordinated by the REST API and the WordPress core security team. The WordPress core security team is pushing out automatic updates for each branch. There are packages for 1.2.1, 1.1.3, 1.0.2, 0.9.2, and 0.8.2.
If you’re using WP REST API version 1.2.0 or earlier, don’t wait for the auto update. Instead, manually update as soon as possible. You can update by browsing to Dashboard – Updates in the WordPress backend, download it from the plugin directory (zip), or pull it from GitHub.
In addition to the WP REST API plugin, Custom Contact Forms and Reactor: Core, have pushed out security updates related to the WP REST API vulnerability. If you use any of the plugins mentioned above, please update as soon as possible.
Source: WP Tavern