WordPress 4.7-5.7 – Authenticated Password Protected Pages Exposure | CVE 2021-29450

Description

The Latest Posts block in the WordPress editor can be exploited in a way that exposes password-protected posts and pages via the posts REST API when the "edit" context was used. This requires at least contributor privileges.

Proof of Concept

1. As one user, create a new password protected post. Ensure that it is in a "published" state.
2. Login as another user with the contributor role.
3. Create a new "draft" post and add the "Latest Posts" block.
4. Visit "https://example.com/wp-json/wp/v2/posts?order=desc&orderby=date&per_page=5&context=edit&_locale=user" to expose the password protected post content.

Affects WordPress

5.7

Fixed in WordPress 5.7.1

5.6.2

Fixed in WordPress 5.6.3

5.6.1

Fixed in WordPress 5.6.3

5.6

Fixed in WordPress 5.6.3

5.5.3

Fixed in WordPress 5.5.4

5.5.2

Fixed in WordPress 5.5.4

5.5.1

Fixed in WordPress 5.5.4

5.5

Fixed in WordPress 5.5.4

5.4.4

Fixed in WordPress 5.4.5

5.4.3

Fixed in WordPress 5.4.5

5.4.2

Fixed in WordPress 5.4.5

5.4.1

Fixed in WordPress 5.4.5

5.4

Fixed in WordPress 5.4.5

5.3.6

Fixed in WordPress 5.3.7

5.3.5

Fixed in WordPress 5.3.7

5.3.4

Fixed in WordPress 5.3.7

5.3.3

Fixed in WordPress 5.3.7

5.3.2

Fixed in WordPress 5.3.7

5.3.1

Fixed in WordPress 5.3.7

5.3

Fixed in WordPress 5.3.7

5.2.9

Fixed in WordPress 5.2.10

5.2.8

Fixed in WordPress 5.2.10

5.2.7

Fixed in WordPress 5.2.10

5.2.6

Fixed in WordPress 5.2.10

5.2.5

Fixed in WordPress 5.2.10

5.2.4

Fixed in WordPress 5.2.10

5.2.3

Fixed in WordPress 5.2.10

5.2.2

Fixed in WordPress 5.2.10

5.2.1

Fixed in WordPress 5.2.10

5.2

Fixed in WordPress 5.2.10

5.1.8

Fixed in WordPress 5.1.9

5.1.7

Fixed in WordPress 5.1.9

5.1.6

Fixed in WordPress 5.1.9

5.1.5

Fixed in WordPress 5.1.9

5.1.4

Fixed in WordPress 5.1.9

5.1.3

Fixed in WordPress 5.1.9

5.1.2

Fixed in WordPress 5.1.9

5.1.1

Fixed in WordPress 5.1.9

5.1

Fixed in WordPress 5.1.9

5.0.11

Fixed in WordPress 5.0.12

5.0.10

Fixed in WordPress 5.0.12

5.0.9

Fixed in WordPress 5.0.12

5.0.8

Fixed in WordPress 5.0.12

5.0.7

Fixed in WordPress 5.0.12

5.0.6

Fixed in WordPress 5.0.12

5.0.4

Fixed in WordPress 5.0.12

5.0.3

Fixed in WordPress 5.0.12

5.0.2

Fixed in WordPress 5.0.12

5.0.1

Fixed in WordPress 5.0.12

5.0

Fixed in WordPress 5.0.12

4.9.16

Fixed in WordPress 4.9.17

4.9.15

Fixed in WordPress 4.9.17

4.9.14

Fixed in WordPress 4.9.17

4.9.13

Fixed in WordPress 4.9.17

4.9.12

Fixed in WordPress 4.9.17

4.9.11

Fixed in WordPress 4.9.17

4.9.10

Fixed in WordPress 4.9.17

4.9.9

Fixed in WordPress 4.9.17

4.9.8

Fixed in WordPress 4.9.17

4.9.7

Fixed in WordPress 4.9.17

4.9.6

Fixed in WordPress 4.9.17

4.9.5

Fixed in WordPress 4.9.17

4.9.4

Fixed in WordPress 4.9.17

4.9.3

Fixed in WordPress 4.9.17

4.9.2

Fixed in WordPress 4.9.17

4.9.1

Fixed in WordPress 4.9.17

4.9

Fixed in WordPress 4.9.17

4.8.15

Fixed in WordPress 4.8.16

4.8.14

Fixed in WordPress 4.8.16

4.8.13

Fixed in WordPress 4.8.16

4.8.12

Fixed in WordPress 4.8.16

4.8.11

Fixed in WordPress 4.8.16

4.8.10

Fixed in WordPress 4.8.16

4.8.9

Fixed in WordPress 4.8.16

4.8.8

Fixed in WordPress 4.8.16

4.8.7

Fixed in WordPress 4.8.16

4.8.6

Fixed in WordPress 4.8.16

4.8.5

Fixed in WordPress 4.8.16

4.8.4

Fixed in WordPress 4.8.16

4.8.3

Fixed in WordPress 4.8.16

4.8.2

Fixed in WordPress 4.8.16

4.8.1

Fixed in WordPress 4.8.16

4.8

Fixed in WordPress 4.8.16

4.7.19

Fixed in WordPress 4.7.20

4.7.18

Fixed in WordPress 4.7.20

4.7.17

Fixed in WordPress 4.7.20

4.7.16

Fixed in WordPress 4.7.20

4.7.15

Fixed in WordPress 4.7.20

4.7.14

Fixed in WordPress 4.7.20

4.7.13

Fixed in WordPress 4.7.20

4.7.12

Fixed in WordPress 4.7.20

4.7.11

Fixed in WordPress 4.7.20

4.7.10

Fixed in WordPress 4.7.20

4.7.9

Fixed in WordPress 4.7.20

4.7.8

Fixed in WordPress 4.7.20

4.7.7

Fixed in WordPress 4.7.20

4.7.6

Fixed in WordPress 4.7.20

4.7.5

Fixed in WordPress 4.7.20

4.7.4

Fixed in WordPress 4.7.20

4.7.3

Fixed in WordPress 4.7.20

4.7.2

Fixed in WordPress 4.7.20

4.7.1

Fixed in WordPress 4.7.20

4.7

Fixed in WordPress 4.7.20

References

CVE

CVE-2021-29450

URL

https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/

URL

https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html

URL

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq

URL

https://core.trac.wordpress.org/changeset/50717/

YouTube Video

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

4.3 (medium)

Miscellaneous

Original Researcher

Mikael Korpela

Verified

Yes

WPVDB ID

6a3ec618-c79e-4b9c-9020-86b157458ac5

Timeline

Publicly Published

2021-04-15 (about 4 years ago)

Added

2021-04-15 (about 4 years ago)

Last Updated

2021-04-27 (about 4 years ago)

Other

Published

Title

Published

2021-08-18

Title

BuddyPress < 9.1.1 - Activation Key Disclosure

Published

2024-02-27

Title

Under Construction / Maintenance Mode from Acurax <= 2.6 - Authenticated (Subscriber+) Sensitive Information Exposure

Published

2024-03-28

Title

Paid Memberships Pro – Mailchimp Add On < 2.3.5 - Unauthenticated Information Disclosure

Published

2025-07-16

Title

JetWooBuilder < 2.1.20.1 - Authenticated (Subscriber+) Information Exposure

Published

2025-12-15

Title

Sober < 3.5.12 - Unauthenticated Information Exposure