Unrated severityNVD Advisory· Published Sep 9, 2021· Updated Aug 4, 2024

Private data disclosure/privilege escalation through the block editor in Wordpress

CVE-2021-39203

Description

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release.

Affected products

osv-coords
pkg:bitnami/wordpress-multisite
Range: >= 5.8-beta1.0, <= 5.8-beta1.0
WordPress/wordpress-developv5
Range: 5.8 beta 1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/WordPress/wordpress-develop/security/advisories/GHSA-qxvw-qxm9-qvg6mitrex_refsource_CONFIRM
hackerone.com/reports/1225282mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000