Description

In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

Remediation

References

CVE-2018-20151

Related Vulnerabilities

WordPress Plugin Event Espresso 4 Decaf-Event Registration Event Ticketing Cross-Site Request Forgery (4.10.11.decaf)

Joomla Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2007-4190)

TYPO3 Improper Input Validation Vulnerability (CVE-2012-1608)

WordPress Plugin GigPress Multiple Vulnerabilities (2.3.10)

WordPress Plugin Quiz Tool Lite Multiple Cross-Site Scripting Vulnerabilities (2.3.15)

Severity

High

Classification

CVE-2018-20151 CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities