{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-20T22:20:51.642","vulnerabilities":[{"cve":{"id":"CVE-2021-29504","sourceIdentifier":"security-advisories@github.com","published":"2021-06-07T21:15:08.387","lastModified":"2026-06-17T03:47:47.383","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"WP-CLI is the command-line interface for WordPress. An improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability to impersonate update servers and push malicious updates towards WordPress instances controlled by the vulnerable WP-CLI agent, or push malicious updates toward WP-CLI itself. The vulnerability stems from the fact that the default behavior of `WP_CLI\\Utils\\http_request()` when encountering a TLS handshake error is to disable certificate validation and retry the same request. The default behavior has been changed with version 2.5.0 of WP-CLI and the `wp-cli/wp-cli` framework (via https://github.com/wp-cli/wp-cli/pull/5523) so that the `WP_CLI\\Utils\\http_request()` method accepts an `$insecure` option that is `false` by default and consequently that a TLS handshake failure is a hard error by default. This new default is a breaking change and ripples through to all consumers of `WP_CLI\\Utils\\http_request()`, including those in separate WP-CLI bundled or third-party packages. https://github.com/wp-cli/wp-cli/pull/5523 has also added an `--insecure` flag to the `cli update` command to counter this breaking change. There is no direct workaround for the default insecure behavior of `wp-cli/wp-cli` versions before 2.5.0. The workaround for dealing with the breaking change in the commands directly affected by the new secure default behavior is to add the `--insecure` flag to manually opt-in to the previous insecure behavior."},{"lang":"es","value":"WP-CLI es la interfaz de línea de comandos para WordPress. Un manejo inapropiado de errores en la administración de peticiones HTTPS en la versión 0.12.0 y posteriores de WP-CLI, permite a atacantes remotos capaces de interceptar la comunicación desactivar remotamente la comprobación del certificado en el lado de WP-CLI, obteniendo un control total sobre el contenido de la comunicación, incluyendo la habilidad de hacerse pasar por servidores de actualización y empujar actualizaciones maliciosas hacia instancias de WordPress controladas por el agente vulnerable de WP-CLI, o empujar actualizaciones maliciosas hacia el propio WP-CLI. La vulnerabilidad proviene del hecho de que el comportamiento por defecto de la función \"WP_CLI\\Utils\\http_request()\" cuando se encuentra un error de protocolo de enlace TLS es desactivar la comprobación del certificado y volver a intentar la misma petición. El comportamiento por defecto ha sido cambiado con la versión 2.5.0 de WP-CLI y el framework \"wp-cli/wp-cli\" (por medio de https://github.com/wp-cli/wp-cli/pull/5523) para que el método \"WP_CLI\\Utils\\http_request()\" acepte una opción \"$insecure\" que es \"false\" por defecto y en consecuentemente un fallo de protocolo de enlace TLS es un error duro por defecto. Este nuevo valor por defecto es un cambio de ruptura y se extiende a todos los consumidores de la función \"WP_CLI\\Utils\\http_request()\", incluyendo aquellos en paquetes separados de WP-CLI o de terceros. https://github.com/wp-cli/wp-cli/pull/5523 también ha añadido un flag \"--insecure\" al comando \"cli update\" para contrarrestar este cambio de ruptura. No hay una solución directa para el comportamiento no seguro por defecto de las versiones anteriores a 2.5.0 de \"wp-cli/wp-cli\". La solución para tratar el cambio de ruptura en los comandos directamente afectados por el nuevo comportamiento seguro por defecto es añadir el flag \"--insecure\" para optar manualmente por el comportamiento no seguro anterior"}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"wp-cli","product":"wp-cli","versions":[{"version":"< 2.5.0","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-295"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wp-cli:wp-cli:*:*:*:*:*:*:*:*","versionStartIncluding":"0.12.0","versionEndExcluding":"2.5.0","matchCriteriaId":"7905C5F9-7215-431B-87D0-B302B66363D9"}]}]}],"references":[{"url":"https://github.com/wp-cli/checksum-command/pull/86","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/wp-cli/config-command/pull/128","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/wp-cli/core-command/pull/186","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/wp-cli/extension-command/pull/287","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/wp-cli/package-command/pull/138","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/wp-cli/wp-cli/pull/5523","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/wp-cli/wp-cli/security/advisories/GHSA-rwgm-f83r-v3qj","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/wp-cli/checksum-command/pull/86","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/wp-cli/config-command/pull/128","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/wp-cli/core-command/pull/186","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/wp-cli/extension-command/pull/287","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/wp-cli/package-command/pull/138","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://github.com/wp-cli/wp-cli/pull/5523","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/wp-cli/wp-cli/security/advisories/GHSA-rwgm-f83r-v3qj","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}