WordPress Lets Contributors Bypass 'publish_posts' Access Check
|
|
SecurityTracker Alert ID: 1025445 |
|
SecurityTracker URL: http://securitytracker.com/id/1025445
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 27 2011
|
Impact:
Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): prior to 3.1.2
|
Description:
A vulnerability was reported in WordPress. A remote authenticated user can improperly publish posts.
A remote authenticated user with Contributor-level privileges but without 'publish_posts' permissions can publish posts.
WordPress developer Andrew Nacin, with Benjamin Balter, reported this vulnerability.
|
Impact:
A remote authenticated user with Contributor privileges can improperly publish posts.
|
Solution:
The vendor has issued a fix (3.1.2).
The vendor's advisory is available at:
http://wordpress.org/news/2011/04/wordpress-3-1-2/
|
Vendor URL: wordpress.org/news/2011/04/wordpress-3-1-2/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 27 Apr 2011 14:06:38 +0000
Subject: WordPress
|
http://wordpress.org/news/2011/04/wordpress-3-1-2/
> This release addresses a vulnerability that allowed Contributor-level users to improperly publish posts.
|
|
