Vulnerability Description
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | <= 3.4.1 |
Related Weaknesses (CWE)
References
- http://codex.wordpress.org/Version_3.4.2
- http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_ExploitPatch
- http://openwall.com/lists/oss-security/2012/09/13/4
- http://codex.wordpress.org/Version_3.4.2
- http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_ExploitPatch
- http://openwall.com/lists/oss-security/2012/09/13/4
FAQ
What is CVE-2012-4421?
CVE-2012-4421 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restri...
How severe is CVE-2012-4421?
CVE-2012-4421 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-4421?
Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress.