CVE-2021-29450 — WordPress Authenticated disclosure of password-protected posts and pages

Description

Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

How to fix CVE-2021-29450

To remediate CVE-2021-29450, upgrade the affected package to a fixed version below.

—upgrade to 5.7.1 or later
—upgrade to 5.7.1 or later
—upgrade to 5.7.1+dfsg1-1 or later

Is CVE-2021-29450 being exploited?

Low — EPSS is 2.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 4.7.0, < 5.7.1
>= 4.7.0, < 5.7.1
from 0, < 5.7.1+dfsg1-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (6)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-29450
WEBgithub.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq
WEBlists.debian.org/debian-lts-announce/2021/04/msg00017.html
WEBnvd.nist.gov/vuln/detail/CVE-2021-29450