Vulnerability in WordPress Core: Bypass any password protected post. CVSS Score: 7.5 (High)
The WordPress Core team have just released WordPress version 4.5.3 which is a maintenance and security release. The release went out less than 2 hours ago.
WordPress allows you to create posts that are protected by a password and only users with that password can then gain access to the post.
On May 3rd we disclosed a vulnerability in WordPress Core to the Core team that allowed any user with an unprivileged account to bypass the password protection WordPress provides. Anonymous attackers are able to exploit this vulnerability and gain access to password protected posts on websites where registration is open.
The CVSS score of this vulnerability is 7.5 (High) for websites with open registration, because no privileges are required in that case to exploit the vulnerability. On websites with closed registration the CVSS score is 6.5 (Medium) because low privileges are required to exploit the vulnerability.
The WordPress team responded on May 6th and acknowledged the vulnerability.
On May 31st they asked for an extension.
Today, June 21st they released a fix for this vulnerability which is included in WordPress core version 4.5.3 which is a maintenance and security release.
Comments
Vulnerability in WordPress Core: Bypass any password protected post. CVSS Score: 7.5 (High) — No Comments