CVE-2021-29450: 
NixOS vulnerability analysis and mitigation

CVE-2021-29450 affects WordPress versions 4.7 through 5.7. The vulnerability allows authenticated users with at least contributor privileges to expose password-protected posts and pages through the WordPress editor's Latest Posts block. This security issue was discovered and patched in WordPress 5.7.1, released in April 2021, along with backported fixes for older affected versions (WordPress Advisory, GitHub Advisory).

The vulnerability exists in the Latest Posts block functionality of the WordPress editor, where the posts REST API could be exploited when using the 'edit' context. An authenticated user with contributor privileges could access the content of password-protected posts by visiting specific REST API endpoints. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue is classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (WPScan).

The vulnerability allows authenticated users with contributor-level access to bypass password protection mechanisms and view the content of password-protected posts and pages. This could lead to unauthorized access to sensitive or private content that was intended to be restricted (NVD).

The vulnerability has been patched in WordPress 5.7.1 and backported to older affected versions through minor releases. Users are strongly recommended to keep auto-updates enabled to receive the fix. The specific versions that received security updates include 4.7.20, 4.8.16, 4.9.17, 5.0.12, 5.1.9, 5.2.10, 5.3.7, 5.4.5, 5.5.4, 5.6.3, and 5.7.1 (Debian Security, GitHub Advisory).