Yes, I’m aware of the report and I’ve been in direct contact with Patchstack about it. The issue they’ve flagged concerns certain data being exposed via the REST API, essentially in the same way WordPress itself exposes data, for example through /wp-json/wp/v2/users.
One important distinction, however, is that in my plugin this functionality can be fully disabled from the admin interface, whereas in core WordPress it requires custom code to change or remove. From my perspective, it’s problematic that a third party effectively dictates plugin functionality when the behavior is optional and under the site owner’s control.
That said, a patch has already been submitted to Patchstack and is currently awaiting approval.
Thanks again for reaching out, and please don’t hesitate to get back to me if you need any further clarification.
Thank you for your quick response and confirmation regarding the solution to this issue. I love your plugin and wouldn’t want to have to change it.
Which option did you mention that needs to be disabled?
If you update the plugin, you don’t have to worry, I force it to be disabled by default. But, for the record it’s the old “Hide admin email in error messages”, that is now “Show admin email in error messages”.
Thank you very much. For the reply and for the update 😊
