CVE-2015-5623 - Improper Access Control

Severity

40%

Complexity

80%

Confidentiality

48%

WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.

WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.

CVSS 2.0 Base Score 4. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N).

Overview

First reported 9 years ago

2015-08-03 14:59:00

Last updated 7 years ago

2017-09-21 01:29:00

Affected Software

WordPress

Debian Linux 8.0 (Jessie)

8.0

References

http://codex.wordpress.org/Version_4.2.3

Patch, Vendor Advisory

[oss-security] 20150723 Re: CVE request: WordPress 4.2.2 and earlier cross-site scripting vulnerability

DSA-3328

76011

1033037

https://core.trac.wordpress.org/changeset/33357

https://wordpress.org/news/2015/07/wordpress-4-2-3/

Patch, Vendor Advisory

https://wpvulndb.com/vulnerabilities/8111

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.