CVE-2010-5106
WordPress < 3.0.3 - Authenticated Capability Bypass in XML-RPC Interface
Title source: llmDescription
The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role.
References (3)
Core 3
Core References
Product x_refsource_confirm
http://codex.wordpress.org/Version_3.0.3
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2012/09/14/10
Exploit, Patch x_refsource_confirm
http://core.trac.wordpress.org/changeset/16803
Scores
EPSS
0.0030
EPSS Percentile
53.6%
Details
CWE
CWE-264
Status
published
Products (49)
wordpress/wordpress
0.71
wordpress/wordpress
1.0
wordpress/wordpress
1.0.1
wordpress/wordpress
1.0.2
wordpress/wordpress
1.1.1
wordpress/wordpress
1.2
wordpress/wordpress
1.2.1
wordpress/wordpress
1.2.2
wordpress/wordpress
1.2.3
wordpress/wordpress
1.2.4
... and 39 more
Published
Sep 14, 2012
Tracked Since
Feb 18, 2026