CVE-2021-39200: 
NixOS vulnerability analysis and mitigation

WordPress versions 5.4 to 5.8 were affected by a data exposure vulnerability within the REST API (CVE-2021-39200). The vulnerability was discovered and reported by @mdawaffe, a member of the WordPress Security Team, and was officially patched in WordPress version 5.8.1 released on September 9, 2021 (WPScan).

The vulnerability involves the wp_die() function, where output data could be leaked under certain conditions through JSONP, potentially exposing sensitive information including nonces. The issue was assigned a CVSS score of 5.3 (medium severity) and is classified under CWE-200 (Information Disclosure) and CWE-352 (CSRF) (GitHub Advisory, Patchstack).

When exploited, the vulnerability could lead to the exposure of sensitive data, particularly nonces, which could then be used by attackers to perform actions on behalf of other users. This information disclosure could potentially lead to Cross-Site Request Forgery (CSRF) attacks (Patchstack).

The vulnerability was patched in WordPress version 5.8.1, with corresponding security updates also released for all affected versions since WordPress 5.4. Sites with automatic updates enabled would have received the fix automatically. Users are strongly recommended to update to the patched versions (GitHub Advisory).