{"id":"CVE-2018-20152","details":"In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.","modified":"2026-04-10T04:08:56.725561Z","published":"2018-12-14T20:29:00.563Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106220"},{"type":"ADVISORY","url":"https://codex.wordpress.org/Version_4.9.9"},{"type":"ADVISORY","url":"https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/"},{"type":"ADVISORY","url":"https://wordpress.org/support/wordpress-version/version-5-0-1/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html"},{"type":"ADVISORY","url":"https://wpvulndb.com/vulnerabilities/9170"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4401"},{"type":"ADVISORY","url":"https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"0"},{"fixed":"8d87e4a8b8aa7d66a4f5dd3795b5450fa0b76af0"},{"introduced":"491c67be12ca8a9fe37ae38307ba7e298c976ec3"},{"fixed":"3d448538caf519c6355bb32c0c8c21da87692855"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.9.9"},{"introduced":"5.0"},{"fixed":"5.0.1"}]}}],"versions":["4.9.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20152.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}