In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25286
Reference (s):
- https://core.trac.wordpress.org/changeset/47984
- https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/