CVE-2023-39999
MEDIUM4.3EPSS 1.0%WordPress < 6.3.2 is vulnerable to Broken Access Control
Published: 10/13/2023Modified: 5/27/2026
Description
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.
Affected packages (4)
- Bitnami/wordpress>= 4.1.0, < 4.1.39, >= 4.2.0, < 4.2.36, >= 4.3.0, < 4.3.32, >= 4.4.0, < 4.4.31, >= 4.5.0, < 4.5.30, >= 4.6.0, < 4.6.27, >= 4.7.0, < 4.7.27, >= 4.8.0, < 4.8.23, >= 4.9.0, < 4.9.24, >= 5.0.0, < 5.0.20, >= 5.1.0, < 5.1.17, >= 5.2.0, < 5.2.19, >= 5.3.0, < 5.3.16, >= 5.4.0, < 5.4.14, >= 5.5.0, < 5.5.13, >= 5.6.0, < 5.6.12, >= 5.7.0, < 5.7.10, >= 5.8.0, < 5.8.8, >= 5.9.0, < 5.9.8, >= 6.0.0, < 6.0.6, >= 6.1.0, < 6.1.4, >= 6.2.0, < 6.2.3, >= 6.3.0, < 6.3.2
- Bitnami/wordpress-multisite>= 4.1.0, < 4.1.39, >= 4.2.0, < 4.2.36, >= 4.3.0, < 4.3.32, >= 4.4.0, < 4.4.31, >= 4.5.0, < 4.5.30, >= 4.6.0, < 4.6.27, >= 4.7.0, < 4.7.27, >= 4.8.0, < 4.8.23, >= 4.9.0, < 4.9.24, >= 5.0.0, < 5.0.20, >= 5.1.0, < 5.1.17, >= 5.2.0, < 5.2.19, >= 5.3.0, < 5.3.16, >= 5.4.0, < 5.4.14, >= 5.5.0, < 5.5.13, >= 5.6.0, < 5.6.12, >= 5.7.0, < 5.7.10, >= 5.8.0, < 5.8.8, >= 5.9.0, < 5.9.8, >= 6.0.0, < 6.0.6, >= 6.1.0, < 6.1.4, >= 6.2.0, < 6.2.3, >= 6.3.0, < 6.3.2
- Debian/wordpressfrom 0, < 5.7.11+dfsg1-0+deb11u1
- Debian/wordpressfrom 0, < 5.0.20+dfsg1-0+deb10u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References (8)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-39999
- WEBhttps://lists.debian.org/debian-lts-announce/2023/11/msg00014.html
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/2EVFT4DPZRFTXJPEPADM22BZVIUD2P66/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/GCCVDPKOK57WCTH2QJ5DJM3B53RJNZKA/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/WQBL4ZQCBFNQ76XHM5257CIBFQRGT5QY/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2023-39999
- WEBhttps://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve
- WEBhttps://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-3-2-contributor-comment-read-on-private-and-password-protected-post-vulnerability?_s_id=cve