PatchSiren cyber security CVE debrief

CVE-2017-5487 Wordpress CVE debrief

CVE-2017-5487 is a WordPress 4.7 REST API information disclosure issue. According to the CVE record, the users controller did not properly restrict listings of post authors, allowing a remote attacker to obtain sensitive information through a wp-json/wp/v2/users request. The issue is rated medium severity and is fixed in WordPress 4.7.1.

Vendor: Wordpress
Product: CVE-2017-5487
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-15
Original CVE updated: 2026-05-13
Advisory published: 2017-01-15
Advisory updated: 2026-05-13

Who should care

Administrators of WordPress sites running version 4.7 or earlier, especially internet-facing sites that expose the REST API, should prioritize this update because the issue is reachable remotely and requires no authentication.

Technical summary

The vulnerable component is wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in WordPress 4.7. The CVE describes insufficient restriction of author/user listings in the REST API users endpoint, which can disclose sensitive information over the network without user interaction. NVD classifies the weakness as CWE-200 and lists affected WordPress versions up to 4.7, with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Defensive priority

Medium, with higher urgency for exposed WordPress 4.7 deployments because the flaw is remotely reachable and unauthenticated, and a vendor fix is available in 4.7.1.

Recommended defensive actions

Upgrade WordPress to 4.7.1 or later as the primary remediation.
Confirm that no WordPress 4.7 or earlier instances remain in production or on public-facing systems.
Review access logs for repeated wp-json/wp/v2/users requests and investigate unusual enumeration patterns.
Apply normal hardening for WordPress accounts and monitor for unexpected disclosure of author or username data.
Use the WordPress 4.7.1 release notes and associated patch reference to validate that the intended fix is present in your deployed build.

Evidence notes

This debrief is grounded in the supplied CVE description, NVD metadata, and the linked WordPress 4.7.1 release/patch references. The CVE description states that the REST API users controller in WordPress 4.7 before 4.7.1 did not properly restrict listings of post authors, enabling remote information disclosure via wp-json/wp/v2/users. NVD metadata confirms the affected version range, the CWE-200 classification, and the CVSS vector. Link contents were not independently fetched here, so assertions are limited to the provided record and reference metadata.

Official resources

CVE-2017-5487 CVE record
CVE.org
CVE-2017-5487 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Vendor Advisory
Source reference
[email protected]

Publicly disclosed and published on 2017-01-15. The CVE record and vendor references indicate the affected range was WordPress 4.7 before 4.7.1, with remediation in WordPress 4.7.1.