Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-3383)

Description

The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text.

Remediation

References

Related Vulnerabilities

Moodle Improper Authentication Vulnerability (CVE-2014-3552)

Joomla! Core Multiple Vulnerabilities (2.5.0 - 3.10.6)

Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-0837)

WordPress Plugin Remove WP Update Nags Security Bypass (1.3.0)

WordPress Plugin WOOCS-Currency Switcher for WooCommerce Professional Cross-Site Scripting (1.3.7)

Severity

Low

Classification

CVE-2012-3383 CWE-264

Tags

Missing Update Known Vulnerabilities