WordPress Vulnerabilities
WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
Description
The Latest Posts block in the WordPress editor can be exploited in a way that exposes password-protected posts and pages via the posts REST API when the "edit" context was used. This requires at least contributor privileges.
Proof of Concept
1. As one user, create a new password protected post. Ensure that it is in a "published" state. 2. Login as another user with the contributor role. 3. Create a new "draft" post and add the "Latest Posts" block. 4. Visit "https://example.com/wp-json/wp/v2/posts?order=desc&orderby=date&per_page=5&context=edit&_locale=user" to expose the password protected post content.
Affects WordPress
Fixed in WordPress 5.7.1
Fixed in WordPress 5.6.3
Fixed in WordPress 5.6.3
Fixed in WordPress 5.6.3
Fixed in WordPress 5.5.4
Fixed in WordPress 5.5.4
Fixed in WordPress 5.5.4
Fixed in WordPress 5.5.4
Fixed in WordPress 5.4.5
Fixed in WordPress 5.4.5
Fixed in WordPress 5.4.5
Fixed in WordPress 5.4.5
Fixed in WordPress 5.4.5
Fixed in WordPress 5.3.7
Fixed in WordPress 5.3.7
Fixed in WordPress 5.3.7
Fixed in WordPress 5.3.7
Fixed in WordPress 5.3.7
Fixed in WordPress 5.3.7
Fixed in WordPress 5.3.7
Fixed in WordPress 5.2.10
Fixed in WordPress 5.2.10
Fixed in WordPress 5.2.10
Fixed in WordPress 5.2.10
Fixed in WordPress 5.2.10
Fixed in WordPress 5.2.10
Fixed in WordPress 5.2.10
Fixed in WordPress 5.2.10
Fixed in WordPress 5.2.10
Fixed in WordPress 5.2.10
Fixed in WordPress 5.1.9
Fixed in WordPress 5.1.9
Fixed in WordPress 5.1.9
Fixed in WordPress 5.1.9
Fixed in WordPress 5.1.9
Fixed in WordPress 5.1.9
Fixed in WordPress 5.1.9
Fixed in WordPress 5.1.9
Fixed in WordPress 5.1.9
Fixed in WordPress 5.0.12
Fixed in WordPress 5.0.12
Fixed in WordPress 5.0.12
Fixed in WordPress 5.0.12
Fixed in WordPress 5.0.12
Fixed in WordPress 5.0.12
Fixed in WordPress 5.0.12
Fixed in WordPress 5.0.12
Fixed in WordPress 5.0.12
Fixed in WordPress 5.0.12
Fixed in WordPress 5.0.12
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.9.17
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.8.16
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20
Fixed in WordPress 4.7.20 References
CVE
YouTube Video
Classification
Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Mikael Korpela
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-04-15 (about 3 years ago)
Added
2021-04-15 (about 3 years ago)
Last Updated
2021-04-27 (about 3 years ago)
WPScan 