A vulnerability in the WordPress REST API could lead to unintended information disclosure. This included potential sensitive data leakage via JSONP, which might also lead to Cross-Site Request Forgery (CSRF) in certain scenarios.
A Cross-Site Scripting (XSS) vulnerability was identified in the Gutenberg block editor. If exploited, an attacker could inject malicious scripts into the editor, potentially stealing session tokens or performing administrative actions on behalf of an authenticated user.
The security release patched three main issues that could be leveraged by attackers: