WordPress Vulnerabilities

WordPress 5.4 to 5.8 - Data Exposure via REST API

Description

On September 9, 2021 WordPress version 5.8.1 was released fixing three vulnerabilities.

The official blog post states:

"Props @mdawaffe, member of the WordPress Security Team for their work fixing a data exposure vulnerability within the REST API."

Affects WordPress

5.8
Fixed in WordPress 5.8.1
5.7.2
Fixed in WordPress 5.7.3
5.7.1
Fixed in WordPress 5.7.3
5.7
Fixed in WordPress 5.7.3
5.6.4
Fixed in WordPress 5.6.5
5.6.3
Fixed in WordPress 5.6.5
5.6.2
Fixed in WordPress 5.6.5
5.6.1
Fixed in WordPress 5.6.5
5.6
Fixed in WordPress 5.6.5
5.5.5
Fixed in WordPress 5.5.6
5.5.4
Fixed in WordPress 5.5.6
5.5.3
Fixed in WordPress 5.5.6
5.5.2
Fixed in WordPress 5.5.6
5.5.1
Fixed in WordPress 5.5.6
5.5
Fixed in WordPress 5.5.6
5.4.6
Fixed in WordPress 5.4.7
5.4.5
Fixed in WordPress 5.4.7
5.4.4
Fixed in WordPress 5.4.7
5.4.3
Fixed in WordPress 5.4.7
5.4.2
Fixed in WordPress 5.4.7
5.4.1
Fixed in WordPress 5.4.7
5.4
Fixed in WordPress 5.4.7

References

CVE
CVE-2021-39200
URL
https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/
URL
https://github.com/WordPress/wordpress-develop/commit/ca4765c62c65acb732b574a6761bf5fd84595706
URL
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5q-x8q5

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
@mdawaffe
Submitter website
https://profiles.wordpress.org/mdawaffe/
Verified
No
WPVDB ID
38dd7e87-9a22-48e2-bab1-dc79448ecdfb

Timeline

Publicly Published
2021-09-09 (about 4 years ago)
Added
2021-09-09 (about 4 years ago)
Last Updated
2023-01-30 (about 2 years ago)

Other

Published
Title
Published
2024-04-22
Title
VikRentCar Car Rental Management System < 1.3.3 - Information Exposure
Published
2025-04-16
Title
Church Admin < 5.0.10 - Unauthenticated Information Disclosure
Published
2025-08-01
Title
BitFire < 4.6 - Unauthenticated Information Exposure
Published
2025-10-09
Title
AppExperts <= 1.4.5 - Unauthenticated Sensitive Information Exposure
Published
2025-04-07
Title
GreenPay(tm) by Green.Money 3.0.0 - 3.0.9 - Unauthenticated Information Exposure