Description
Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
Problem types
CWE-201 Insertion of Sensitive Information Into Sent Data
Product status
6.8 (custom)
6.7 (custom)
6.6 (custom)
6.5 (custom)
6.4 (custom)
6.3 (custom)
6.2 (custom)
6.1 (custom)
6.0 (custom)
5.9 (custom)
5.8 (custom)
5.7 (custom)
5.6 (custom)
5.5 (custom)
5.4 (custom)
5.3 (custom)
5.2 (custom)
5.1 (custom)
5.0 (custom)
4.9 (custom)
4.8 (custom)
4.7 (custom)
Credits
Abu Hurayra (Patchstack Bug Bounty Program)
John Blackbourn (WordPress core security team lead)
Timothy Jacobs
Peter Wilson
Mike Nelson
References
patchstack.com/...tive-data-exposure-vulnerability?_s_id=cve
wordpress.org/news/2025/09/wordpress-6-8-3-release/
