Description
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.
Remediation
References
Related Vulnerabilities
WordPress Plugin Flight Search Widget and Blocks Cross-Site Scripting (1.1.0)
IBM WebSEAL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-3045)
WordPress Plugin WP-DBManager Multiple Vulnerabilities (2.71)
Oracle HTTP Server Other Vulnerability (CVE-2020-35167)
Oracle Database Server CVE-2012-0511 Vulnerability (CVE-2012-0511)