Lucene search
WpvulndbWPVDB-ID:6A3EC618-C79E-4B9C-9020-86B157458AC5HistoryApr 15, 2021 - 12:00 a.m.
WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
2021-04-1500:00:00
wpscan.com
522
0.007 Low
EPSS
Percentile
79.6%
The Latest Posts block in the WordPress editor can be exploited in a way that exposes password-protected posts and pages via the posts REST API when the “edit” context was used. This requires at least contributor privileges.
PoC
1. As one user, create a new password protected post. Ensure that it is in a “published” state. 2. Login as another user with the contributor role. 3. Create a new “draft” post and add the “Latest Posts” block. 4. Visit “https://example.com/wp-json/wp/v2/posts?order=desc&orderby;=date&per;_page=5&context;=edit&_locale=user” to expose the password protected post content.
Related
osv
osv
BIT-wordpress-2021-29450
2024-03-06 11:10:45
BIT-wordpress-multisite-2021-29450
2024-03-06 11:10:30
CVE-2021-29450
2021-04-15 22:15:12
veracode
veracode
Privilege Escalation
2021-04-18 07:58:19
ubuntucve
ubuntucve
CVE-2021-29450
2021-04-15 00:00:00
cve
cve
CVE-2021-29450
2021-04-15 22:15:12
cvelist
cvelist
nvd
nvd
CVE-2021-29450
2021-04-15 22:15:12
wpexploit
wpexploit
WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
2021-04-15 00:00:00
debiancve
debiancve
CVE-2021-29450
2021-04-15 22:15:12
prion
prion
Design/Logic Flaw
2021-04-15 22:15:00
openvas
openvas
Debian: Security Advisory (DLA-2630-1)
2021-04-22 00:00:00
WordPress Multiple Vulnerabilities (Apr 2021) - Windows
2021-04-16 00:00:00
Debian: Security Advisory (DSA-4896-1)
2021-04-24 00:00:00
debian
debian
[SECURITY] [DLA 2630-1] wordpress security update
2021-04-21 06:46:28
[SECURITY] [DSA 4896-1] wordpress security update
2021-04-22 05:56:18
[SECURITY] [DSA 4896-1] wordpress security update
2021-04-22 05:56:18
nessus
nessus
Debian DLA-2630-1 : wordpress security update
2021-04-22 00:00:00
Debian DSA-4896-1 : wordpress - security update
2021-04-23 00:00:00