Description

WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.

Remediation

References

CVE-2015-5623

Related Vulnerabilities

WordPress Plugin Avenir-soft Direct Download Multiple Vulnerabilities (1.0)

PostgreSQL Other Vulnerability (CVE-2006-0105)

WordPress Plugin Skysa App Bar Integration 'submit' Parameter Cross-Site Scripting (1.03)

WordPress Plugin Weather Effect-Christmas Santa Snow Falling Cross-Site Scripting (1.3.5)

MySQL CVE-2019-2589 Vulnerability (CVE-2019-2589)

Severity

Medium

Classification

CVE-2015-5623 CWE-284

Tags

Missing Update Known Vulnerabilities