CVE-2010-5296Wordpress vulnerability

CWE-2644 documents4 sources
Severity
4.9MEDIUMNVD
EPSS
0.4%
top 39.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
WordpressDebian Wordpress
Timeline
PublishedJan 21
Latest updateMay 17

Description

wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 6.8 | Impact: 4.9

Affected Packages3 packages

debiandebian/wordpress< wordpress 3.0.2-1 (bookworm)
Debianwordpress/wordpress< 3.0.2-1+3
NVDwordpress/wordpress3.0.1+46

Patches

Patch: core.trac.wordpress.orgPatch: core.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-w56v-4m7h-jhq8: wp-includes/capabilities2022-05-17
OSV
CVE-2010-5296: wp-includes/capabilities2014-01-21

📋Vendor Advisories

1
Debian
CVE-2010-5296: wordpress - wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configu...2010
CVE-2010-5296 — Debian Wordpress vulnerability | cvebase