CVE-2019-17671

MEDIUM NUCLEI LAB

WordPress < 5.2.4 - Unauthenticated Exposure of Sensitive Information via Static Query Property

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-17671. PoCs published by Sebastian Neef, rhbb. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a writeup describing how to exploit an information leakage vulnerability in WordPress by manipulating URL parameters. It explains that adding `?static=1` to a WordPress URL can leak secret content, and further manipulation with `order` and `orderby` parameters can expose additional data.

Description

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

Exploits (2)

exploitdb WRITEUP
by Sebastian Neef · webappsmultiple
https://www.exploit-db.com/exploits/47690

This is a writeup describing how to exploit an information leakage vulnerability in WordPress by manipulating URL parameters. It explains that adding `?static=1` to a WordPress URL can leak secret content, and further manipulation with `order` and `orderby` parameters can expose additional data.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WordPress (version not specified)
No auth needed
Prerequisites: Access to a WordPress instance with the vulnerability
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SUSPICIOUS 2 stars
by rhbb · poc
https://github.com/rhbb/CVE-2019-17671

The repository lacks functional exploit code and only provides a Docker setup for WordPress 5.2.3. The README contains minimal details and references external images without technical depth.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: WordPress 5.2.3
No auth needed
Prerequisites: WordPress 5.2.3 instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

WordPress <= 5.2.4 - Unauthenticated View Private/Draft Posts
MEDIUMVERIFIEDby 0x_Akoko
Shodan: http.component:"wordpress" http.html:"status-draft"
FOFA: body="Wordpress" && body="status-draft"

References (9)

Core 9
Core References
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9909
Release Notes, Vendor Advisory x_refsource_misc
https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
Patch, Vendor Advisory x_refsource_misc
https://core.trac.wordpress.org/changeset/46474
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/11/msg00000.html
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Jan/8
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4599
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4677

Scores

CVSS v3 5.3
EPSS 0.7290
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:5.2.3

Details

CWE
CWE-200
Status published
Products (4)
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
wordpress/wordpress < 5.2.4
Published Oct 17, 2019
Tracked Since Feb 18, 2026