Permissions, Privileges, and Access Controls in WordPress - CVE-2012-4421
Published: September 14, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43515
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2012-4421
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: WordPress.ORG
Affected software:
WordPress
WordPress
Detailed vulnerability description
The vulnerability allows a remote #AU# to manipulate data.
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.
How to mitigate CVE-2012-4421
Install update from vendor's website.