CVE-2021-39203 MEDIUM

CVE-2021-39203: Private data disclosure/privilege escalation through the block editor in Wordpress

Vendor Wordpress
Product wordpress-develop
Weakness CWE-200 · Info exposure
Published September 9, 2021
Last update August 4, 2024

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release.

Key dates

02Disclosure timeline

September 9, 2021 CVE published
August 4, 2024 Record updated