Information Exposure Affecting johnpbloch/wordpress-core package, versions <3.7.40>=3.8.0, <3.8.40>=3.9.0, <3.9.38>=4.0.0, <4.0.37>=4.1.0, <4.1.37>=4.2.0, <4.2.34>=4.3.0, <4.3.30>=4.4.0, <4.4.29>=4.5.0, <4.5.28>=4.6.0, <4.6.25>=4.7.0, <4.7.25>=4.8.0, <4.8.21>=4.9.0, <4.9.22>=5.0.0, <5.0.18>=5.1.0, <5.1.15>=5.2.0, <5.2.17>=5.3.0, <5.3.14>=5.4.0, <5.4.12>=5.5.0, <5.5.11>=5.6.0, <5.6.10>=5.7.0, <5.7.8>=5.8.0, <5.8.6>=5.9.0, <5.9.5>=6.0.0, <6.0.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-JOHNPBLOCHWORDPRESSCORE-8648603
- published21 Jan 2025
- disclosed18 Oct 2022
- creditThomas Kräftner
Introduced: 18 Oct 2022
CVE NOT AVAILABLE CWE-200 (opens in a new tab)How to fix?
Upgrade johnpbloch/wordpress-core to version 3.7.40, 3.8.40, 3.9.38, 4.0.37, 4.1.37, 4.2.34, 4.3.30, 4.4.29, 4.5.28, 4.6.25, 4.7.25, 4.8.21, 4.9.22, 5.0.18, 5.1.15, 5.2.17, 5.3.14, 5.4.12, 5.5.11, 5.6.10, 5.7.8, 5.8.6, 5.9.5, 6.0.3 or higher.
Overview
johnpbloch/wordpress-core is a web software you can use to create a website or blog.
Affected versions of this package are vulnerable to Information Exposure due to insufficient validation of user permissions on the REST-API endpoint for terms and tags. An attacker can access sensitive information about terms and tags associated with posts not owned by them, potentially leading to unauthorized disclosure of post details in private status.