Vulnerability Description
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | >= 5.2, < 5.8.1 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5Third Party Advisory
- https://hackerone.com/reports/1142140Permissions Required
- https://www.debian.org/security/2021/dsa-4985Third Party Advisory
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5Third Party Advisory
- https://hackerone.com/reports/1142140Permissions Required
- https://www.debian.org/security/2021/dsa-4985Third Party Advisory
FAQ
What is CVE-2021-39200?
CVE-2021-39200 is a vulnerability with a CVSS score of 5.3 (MEDIUM). WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under ...
How severe is CVE-2021-39200?
CVE-2021-39200 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39200?
Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress, Debian Debian Linux.