CVE-2018-20151 — Sensitive Information Exposure in Wordpress

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

7.5HIGHNVD

EPSS

6.8%

top 8.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Debian Linux

Timeline

PublishedDec 14

Latest updateMay 14

Description

In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 5.0.1+dfsg1-1 (bookworm)

▶NVDwordpress/wordpress5.0 — 5.0.1+1

▶Debianwordpress/wordpress< 5.0.1+dfsg1-1+3

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-4mq7-pxfh-pjjv: In WordPress before 4↗2022-05-14

▶

OSV

CVE-2018-20151: In WordPress before 4↗2018-12-14

▶

📋Vendor Advisories

Debian

CVE-2018-20151: wordpress - In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could b...↗2018

▶