Wordpress is vulnerable to information disclosure. The vulnerability exists in the wp_prepare_attachment_for_js
function in media.php
where a remote attacker can modify the parameter author_name
as part of a request to /wp-json/oembed/1.0/embed?url
which would lead to path disclosure.