Back to blog
WordPresstechnicalvulnerabilities

WordPress REST API: 7 dangerous endpoints enabled by default

Published on 2026-04-036 min readCleanIssue

> TL;DR: Your WordPress exposes sensitive data via REST API without you knowing. Here are 7 endpoints to check now.

WordPress exposes more than you think

By default, WordPress enables a complete REST API accessible to any visitor.

Endpoint 1: /wp-json/wp/v2/users

Lists all users with names and slugs.

Endpoint 2: /wp-json/acf/v3/options

ACF Pro can return ALL site options — including API keys and tokens.

Endpoint 3: /wp-json/wp/v2/media

Enumeration of all uploaded files. Sequential IDs = download private files.

Endpoints 4-7: Custom namespaces

Every plugin registering a REST namespace creates potentially unauthenticated endpoints.

Key Takeaways

  • Authenticate every API endpoint — publicly exposed internal routes are the #1 vulnerability.
  • Implement per-tenant rate limiting to prevent enumeration and scraping.
  • Document and version your APIs to detect unprotected orphan endpoints.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Sources

    Written by CleanIssue
    Reviewed on 2026-04-03

    Editorial analysis based on official vendor, project, and regulator documentation.

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit