WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Vulnerabilities

WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure

Description

The Latest Posts block in the WordPress editor can be exploited in a way that exposes password-protected posts and pages via the posts REST API when the "edit" context was used. This requires at least contributor privileges.

Proof of Concept

1. As one user, create a new password protected post. Ensure that it is in a "published" state.
2. Login as another user with the contributor role.
3. Create a new "draft" post and add the "Latest Posts" block.
4. Visit "https://example.com/wp-json/wp/v2/posts?order=desc&orderby=date&per_page=5&context=edit&_locale=user" to expose the password protected post content.

Affects WordPress

5.7
Fixed in version 5.7.1
5.6.2
Fixed in version 5.6.3
5.6.1
Fixed in version 5.6.3
5.6
Fixed in version 5.6.3
5.5.3
Fixed in version 5.5.4
5.5.2
Fixed in version 5.5.4
5.5.1
Fixed in version 5.5.4
5.5
Fixed in version 5.5.4
5.4.4
Fixed in version 5.4.5
5.4.3
Fixed in version 5.4.5

References

CVE
CVE-2021-29450
URL
https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/
URL
https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html
URL
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq
URL
https://core.trac.wordpress.org/changeset/50717/

YouTube Video

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200

Miscellaneous

Original Researcher

Mikael Korpela

Verified

Yes

WPVDB ID
6a3ec618-c79e-4b9c-9020-86b157458ac5

Timeline

Publicly Published

2021-04-15 (about 1 years ago)

Added

2021-04-15 (about 1 years ago)

Last Updated

2021-04-27 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin