CVE-2012-4421 — Wordpress vulnerability

CWE-2645 documents5 sources

Severity

4.0MEDIUMNVD

EPSS

0.2%

top 57.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress

Timeline

PublishedSep 14

Latest updateMay 17

Description

The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages2 packages

▶Debianwordpress/wordpress< 3.4.2+dfsg-1+3

▶NVDwordpress/wordpress3.4.1+84

Patches

Patch: core.trac.wordpress.org ↗Patch: core.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-v9p6-jxgm-w55j: The create_post function in wp-includes/class-wp-atom-server↗2022-05-17

▶

CVEList

CVE-2012-4421: The create_post function in wp-includes/class-wp-atom-server↗2012-09-14

▶

OSV

CVE-2012-4421: The create_post function in wp-includes/class-wp-atom-server↗2012-09-14

▶

📋Vendor Advisories

Debian

CVE-2012-4421: wordpress - The create_post function in wp-includes/class-wp-atom-server.php in WordPress be...↗2012

▶