CVE-2009-2854 — Wordpress vulnerability

CWE-2644 documents4 sources

Severity

6.4MEDIUMNVD

EPSS

1.4%

top 19.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedAug 18

Latest updateMay 2

Description

Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 2.8.3-1 (bookworm)

▶Debianwordpress/wordpress< 2.8.3-1+3

▶NVDwordpress/wordpress2.8.2

Patches

Patch: wordpress.org ↗Patch: wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-vr94-84mg-gxfp: Wordpress before 2↗2022-05-02

▶

OSV

CVE-2009-2854: Wordpress before 2↗2009-08-18

▶

📋Vendor Advisories

Debian

CVE-2009-2854: wordpress - Wordpress before 2.8.3 does not check capabilities for certain actions, which al...↗2009

▶