Description

wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.

Remediation

References

CVE-2010-5296

Related Vulnerabilities

OpenSSL Other Vulnerability (CVE-2015-0291)

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2008-5249)

e107 Other Vulnerability (CVE-2005-1949)

WordPress Plugin Easy2Map Photos Multiple Vulnerabilities (1.0.9)

WordPress Plugin Events Manager Multiple Vulnerabilities (5.9.7.3)

Severity

Medium

Classification

CVE-2010-5296 CWE-264

Tags

Missing Update Known Vulnerabilities