Main Vulnerability Database Vulnerabilities #VU43514

Permissions, Privileges, and Access Controls in WordPress - CVE-2010-5106

Published: September 14, 2012 / Updated: August 11, 2020

Vulnerability identifier: #VU43514

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2010-5106

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: WordPress.ORG

Affected software:
WordPress

Detailed vulnerability description

The vulnerability allows a remote #AU# to read and manipulate data.

The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role.

How to mitigate CVE-2010-5106

Install update from vendor's website.

Sources

http://codex.wordpress.org/Version_3.0.3
http://core.trac.wordpress.org/changeset/16803
http://openwall.com/lists/oss-security/2012/09/14/10

Permissions, Privileges, and Access Controls in WordPress - CVE-2010-5106

Detailed vulnerability description

How to mitigate CVE-2010-5106

Sources

Please verify you're human