CVE-2015-5623 — Improper Access Control in Wordpress

CWE-284 — Improper Access Control7 documents5 sources

Severity

4.0MEDIUMNVD

EPSS

48.4%

top 2.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Debian Linux

Timeline

PublishedAug 3

Latest updateMay 17

Description

WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 4.2.3+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 4.2.3+dfsg-1+3

▶NVDwordpress/wordpress4.2.2

Also affects: Debian Linux 8.0

Patches

Patch: codex.wordpress.org ↗Patch: wordpress.org ↗Patch: codex.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-fp5j-7rg9-v2c7: WordPress before 4↗2022-05-17

▶

OSV

CVE-2015-5623: WordPress before 4↗2015-08-03

▶

📋Vendor Advisories

Debian

CVE-2015-5623: wordpress - WordPress before 4.2.3 does not properly verify the edit_posts capability, which...↗2015

▶

💬Community

Bugzilla

CVE-2015-5622 CVE-2015-5623 wordpress: cross-site scripting and permission issue fixed in [fedora-all]↗2015-07-24

▶

Bugzilla

CVE-2015-5622 CVE-2015-5623 wordpress: cross-site scripting and permission issue fixed in wordpress 4.2.3↗2015-07-24

▶

Bugzilla

CVE-2015-5622 CVE-2015-5623 wordpress: cross-site scripting and permission issue fixed in [epel-all]↗2015-07-24

▶