Main Vulnerability Database Vulnerabilities #VU42131

Permissions, Privileges, and Access Controls in WordPress - CVE-2010-5297

Published: January 21, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU42131

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2010-5297

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: WordPress.ORG

Affected software:
WordPress

Detailed vulnerability description

The vulnerability allows a remote #AU# to manipulate data.

WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change.

How to mitigate CVE-2010-5297

Install update from vendor's website.

Sources

http://codex.wordpress.org/Changelog/3.0.1
http://core.trac.wordpress.org/query?status=closed&group=resolution&order=priority&milestone=3.0.1&resolution=fixed
https://core.trac.wordpress.org/changeset/15342
https://core.trac.wordpress.org/ticket/14119

Permissions, Privileges, and Access Controls in WordPress - CVE-2010-5297

Detailed vulnerability description

How to mitigate CVE-2010-5297

Sources

Please verify you're human