CVE-2023-5692 Affecting wordpress package, versions <6.5+dfsg1-1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIANUNSTABLE-WORDPRESS-6577428
- published 6 Apr 2024
- disclosed 5 Apr 2024
Introduced: 5 Apr 2024
CVE-2023-5692 Open this link in a new tabHow to fix?
Upgrade Debian:unstable wordpress to version 6.5+dfsg1-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream wordpress package and not the wordpress package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.
References
- https://security-tracker.debian.org/tracker/CVE-2023-5692
- https://core.trac.wordpress.org/changeset/57645
- https://developer.wordpress.org/reference/functions/is_post_publicly_viewable/
- https://developer.wordpress.org/reference/functions/is_post_type_viewable/
- https://github.com/WordPress/wordpress-develop/blob/6.3/src/wp-includes/canonical.php#L763
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6e6f993b-ce09-4050-84a1-cbe9953f36b1?source=cve