Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-4421)

Description

The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.

Remediation

References

Related Vulnerabilities

WordPress Plugin LISL Last-Image Slider TimThumb Arbitrary File Upload (1.0)

Apache HTTP Server Improper Handling of Case Sensitivity Vulnerability (CVE-2001-0766)

WordPress Plugin Animal Captcha Cross-Site Scripting (1.6.2)

OpenSSL Other Vulnerability (CVE-2015-0208)

Oracle JRE Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-0422)

Severity

Medium

Classification

CVE-2012-4421 CWE-264

Tags

Missing Update Known Vulnerabilities