CVE-2021-39200
MEDIUMWordPress 5.2-5.8 - Exposure of Sensitive Information via wp_die() Function
Title source: llmDescription
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5q-x8q5
Permissions Required x_refsource_misc
https://hackerone.com/reports/1142140
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-4985
Scores
CVSS v3
5.3
EPSS
0.0177
EPSS Percentile
82.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (3)
debian/debian_linux
10.0
debian/debian_linux
11.0
wordpress/wordpress
5.2 - 5.8.1
Published
Sep 09, 2021
Tracked Since
Feb 18, 2026