CVE-2009-2854

Severity

64%

Complexity

99%

Confidentiality

81%

Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/.

Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/.

CVSS 2.0 Base Score 6.4. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N).

Overview

First reported 15 years ago

2009-08-18 21:00:00

Last updated 7 years ago

2017-11-22 17:17:00

Affected Software

WordPress

References

http://core.trac.wordpress.org/changeset/11765

Vendor Advisory

http://core.trac.wordpress.org/changeset/11766

Vendor Advisory

http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/

Patch, Vendor Advisory

DSA-1871

Third Party Advisory

[oss-security] 20090804 CVE request: Wordpress

Mailing List, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.