Description

In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

Remediation

References

CVE-2018-20151

Related Vulnerabilities

WordPress Plugin ZM Gallery SQL Injection (1.0)

WordPress Plugin WP User Switch Security Bypass (1.0.2)

WordPress Plugin Image Optimizer by 10web-Image Optimizer and Compression Directory Traversal (1.0.25)

WordPress Plugin Redux Framework Cross-Site Request Forgery (4.1.20)

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2016-1564)

Severity

High

Classification

CVE-2018-20151 CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities