WordPress Open source blog software

Known Exploited WordPress Vulnerabilities

The following WordPress vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 1 vulnerability in WordPress with an average score of 8.2 out of ten. Last year, in 2025 WordPress had 11 security vulnerabilities published. Right now, WordPress is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 2.23.

Recent WordPress Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2023-54333	Jan 13, 2026	Critical SQLi in Social-Share-Buttons 2.2.3 via project_id param Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and potentially steal entire database contents.
CVE-2025-5092	Nov 20, 2025	WordPress Plugins: XSS via lightGallery <=2.8.3 (Contributor+ attacks) Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2025-58674	Sep 23, 2025	WordPress Core Stored XSS (CVE-2025-58674) up to v6.8.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.	WordPress
CVE-2025-58246	Sep 23, 2025	WP <=6.8.2: Insert Sensitive Info into Outgoing Data (Contributor Priv.) Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.	WordPress
CVE-2025-54352	Jul 21, 2025	WordPress XML-RPC Pingback Title Guessing (v3.5–6.8.2) WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.	WordPress
CVE-2025-2537	Jul 03, 2025	WordPress XSS via ThickBox JavaScript v3.1 in various plugins Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled ThickBox JavaScript library (version 3.1) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2025-48903	Jun 06, 2025	WP Media Lib Module Permission Bypass Permission bypass vulnerability in the media library module Impact: Successful exploitation of this vulnerability may affect availability.	WordPress
CVE-2024-5878	May 20, 2025	WP Plugins: SimpleLightbox 2.1.5 Stored XSS (auth) Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled SimpleLightbox JavaScript library (version 2.1.5) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2025-21095	Mar 05, 2025	WordPress 6.8.0 Path Traversal for Arbitrary File Download Path traversal may lead to arbitrary file download. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25.	WordPress
CVE-2024-5667	Mar 05, 2025	WP plugins XSS via Featherlight.js v1.7.13-1.7.14 Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Featherlight.js JavaScript library (versions 1.7.13 to 1.7.14) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2025-26527	Feb 24, 2025	WordPress Tags Unintended Disclosure via Tag Search & Tags Block Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.	WordPress
CVE-2023-40108	Jan 21, 2025	Local Media Disclosure via Missing Permission Check (CVE-2023-40108) In multiple locations, there is a possible way to access media content belonging to another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	WordPress
CVE-2024-11331	Dec 20, 2024	WordPress Plugin '??????? ??????? ??????? ???? ????': Reflected XSS Vulnerability The ??????? ??????? ??????? ???? ???? plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	WordPress
CVE-2024-11875	Dec 12, 2024	WordPress Plugin 'Add infos to the events calendar' Stored XSS Vulnerability in 'fuss' Shortcode The Add infos to the events calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fuss' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2024-11091	Nov 26, 2024	WordPress Support SVG Plugin: Stored XSS via REST API SVG File Uploads The Support SVG Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.	WordPress
CVE-2024-11229	Nov 23, 2024	Stored XSS Vulnerability in WordPress Plugin ??? ??? via Shortcodes The ???? ??? plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's add_plus_friends and add_plus_talk shortcodes in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2024-11231	Nov 23, 2024	Stored XSS Vulnerability in WordPress Plugin ???? ????? via mnp_purchase Shortcode The ???? ????? plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mnp_purchase shortcode in all versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2024-9830	Nov 19, 2024	WordPress Bard Theme Reflected XSS Vulnerability in URL Parameter Handling The Bard theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.216. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	WordPress
CVE-2022-4973	Oct 16, 2024	WordPress Core 6.0.2 Authenticated Stored XSS via the_meta() WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.	WordPress
CVE-2024-6307	Jun 25, 2024	WordPress Core <6.5.5 Stored XSS via HTML API (Contributor+) WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2024-35162	May 22, 2024	WordPress: Path Traversal via Dashboard Plugin (<1.8.6) Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switch_themes" privilege may obtain arbitrary files on the server.	WordPress
CVE-2024-4439	May 03, 2024	WordPress Core <= 6.5.2 Stored XSS via Avatar Block Display Name WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.	WordPress
CVE-2023-5692	Apr 05, 2024	WordPress 6.4.3 Sensitive Info Exposure via redirect_guess_404_permalink WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.	WordPress
CVE-2024-31211	Apr 04, 2024	WordPress Unserializable WP_HTML_Token Causing Code Exec before 6.4.2 WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.	WordPress
CVE-2024-31210	Apr 04, 2024	WordPress Admin Plugin Upload RCE via NonZip File, Fixed 6.4.3 WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true` on the site _and_ FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue _only_ affects Administrator level users on single site installations, and Super Admin level users on Multisite installations where it's otherwise expected that the user does not have permission to upload or execute arbitrary PHP code. Lower level users are not affected. Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected. Sites where an administrative user either does not need to enter FTP credentials or they have access to the valid FTP credentials, are not affected. The issue was fixed in WordPress 6.4.3 on January 30, 2024 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40. A workaround is available. If the `DISALLOW_FILE_MODS` constant is defined as `true` then it will not be possible for any user to upload a plugin and therefore this issue will not be exploitable.	WordPress
CVE-2024-21724	Feb 29, 2024	WordPress Extensions XSS via Media Selection Fields (CVE-2024-21724) Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.	WordPress
CVE-2023-5561	Oct 16, 2023	WordPress REST API Exposes User Emails via Unrestricted Search Fields WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack	WordPress
CVE-2023-39999	Oct 13, 2023	WordPress Sensitive Info Exposure (4.16.3.1) CVE-2023-39999 Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.	WordPress
CVE-2023-38000	Oct 13, 2023	WordPress Auth. Stored XSS in Core 5.9-6.3 & Gutenberg 16.8. Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.	WordPress Gutenberg
CVE-2023-32565	Aug 10, 2023	WordPress 6.4.1: Data Leakage & DoS via Crafted Request An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.	WordPress
CVE-2023-26446	Aug 02, 2023	WordPress XSS via unsanitized clientID in Application Passwords The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the user-controllable clientID parameter. No publicly available exploits are known.	WordPress
CVE-2020-36708	Jun 07, 2023	WordPress Themes <=1.3.1 Function Injection via epsilon_framework_ajax_action The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.	WordPress
CVE-2013-10027	Jun 04, 2023	WordPress Blogger Importer Plugin 0.5 XSRF via blogger-importer.php A vulnerability was found in Blogger Importer Plugin up to 0.5 on WordPress. It has been classified as problematic. Affected is the function start/restart of the file blogger-importer.php. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. Upgrading to version 0.6 is able to address this issue. The patch is identified as b83fa4f862b0f19a54cfee76060ec9c2e7f7ca70. It is recommended to upgrade the affected component. VDB-230658 is the identifier assigned to this vulnerability.	Blogger Importer
CVE-2022-47174	May 25, 2023	Performance Lab <=2.2.0 CSRF in WordPress Plugin Cross-Site Request Forgery (CSRF) vulnerability in WordPress Performance Team Performance Lab plugin <= 2.2.0 versions.	Performance Lab
CVE-2022-47161	May 25, 2023	WordPress Health Check CSRF in v<=1.5.1 Cross-Site Request Forgery (CSRF) vulnerability in The WordPress.Org community Health Check & Troubleshooting plugin <= 1.5.1 versions.	Health Check Troubleshooting
CVE-2023-2745	May 17, 2023	WordPress Core 6.2 Unauth DT via wp_lang Param WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.	WordPress
CVE-2013-10021	Mar 11, 2023	dd32 Debug Bar XSS in WordPress Plugin (before 0.8) A vulnerability was found in dd32 Debug Bar Plugin up to 0.8 on WordPress. It has been declared as problematic. Affected by this vulnerability is the function render of the file panels/class-debug-bar-queries.php. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 0.8.1 is able to address this issue. The patch is named 0842af8f8a556bc3e39b9ef758173b0a8a9ccbfc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222739.	Debug Bar
CVE-2022-4327	Jan 16, 2023	WordPress Admin-Only Vulnerability: No Security Risk CVE-2022-4327 This issue does not bear any security risk as it's only exploitable by users with administrator or super-administrator roles, who can already do what they want on their site.	WordPress
CVE-2023-22622	Jan 05, 2023	WordPress <=6.1.1 wp-cron.php Schedule Timing Flaw (CVE-2023-22622) WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.	WordPress
CVE-2022-3590	Dec 14, 2022	WordPress pingback blind SSRF TOCTOU WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.	WordPress
CVE-2022-43504	Dec 05, 2022	WP Post by Email Auth Bypass, <6.0.3 (Fixed 6.0.3) Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.	WordPress
CVE-2022-43500	Dec 05, 2022	WordPress XSS in v<6.0.3 Unauth Script Injection (patched 3.7+) Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.	WordPress
CVE-2022-43497	Dec 05, 2022	CVE-2022-43497 WP XSS before 6.0.3 & 3.7 patched Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.	WordPress
CVE-2011-1762	Apr 18, 2022	A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission.	WordPress
CVE-2022-21664	Jan 06, 2022	WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.	WordPress
CVE-2022-21662	Jan 06, 2022	WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.	WordPress
CVE-2022-21661	Jan 06, 2022	WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.	WordPress
CVE-2022-21663	Jan 06, 2022	WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.	WordPress
CVE-2021-44223	Nov 25, 2021	WordPress before 5.8 lacks support for the Update URI plugin header WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.	WordPress
CVE-2021-39203	Sep 09, 2021	WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release.	WordPress