|Description||In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|wordpress (PTS)||stretch (security), stretch||4.7.5+dfsg-2+deb9u6||fixed|
|buster, buster (security)||5.0.10+dfsg1-0+deb10u1||fixed|
The information below is based on the following data on fixed versions.