WordPress < 5.4.2 - Disclosure of Password-Protected Page/Post Comments

Description

Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions.

Affects WordPresses

5.4.1

Fixed in version 5.4.2✓

5.4

Fixed in version 5.4.2✓

5.3.3

Fixed in version 5.3.4✓

5.3.2

Fixed in version 5.3.4✓

5.3.1

Fixed in version 5.3.4✓

5.3

Fixed in version 5.3.4✓

5.2.6

Fixed in version 5.2.7✓

5.2.5

Fixed in version 5.2.7✓

5.2.4

Fixed in version 5.2.7✓

5.2.3

Fixed in version 5.2.7✓

References

CVE

CVE-2020-25286

URL

https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/

URL

https://github.com/WordPress/WordPress/commit/c075eec24f2f3214ab0d0fb0120a23082e6b1122

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

Miscellaneous

Original Researcher

Carolina Nymark

Verified

WPVDB ID

eea6dbf5-e298-44a7-9b0d-f078ad4741f9

Timeline

Publicly Published

2020-06-11 (about 1 years ago)

Added

2020-06-11 (about 1 years ago)

Last Updated

2020-09-15 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin