CVE-2010-5296
WordPress < 3.0.2 - Authenticated Privilege Escalation via delete_users Capability
Title source: llmDescription
wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
http://codex.wordpress.org/Version_3.0.2
Exploit, Patch x_refsource_confirm
https://core.trac.wordpress.org/changeset/15562
Scores
EPSS
0.0040
EPSS Percentile
61.1%
Details
CWE
CWE-264
Status
published
Products (47)
wordpress/wordpress
2.0
wordpress/wordpress
2.0.1
wordpress/wordpress
2.0.2
wordpress/wordpress
2.0.4
wordpress/wordpress
2.0.5
wordpress/wordpress
2.0.6
wordpress/wordpress
2.0.7
wordpress/wordpress
2.0.8
wordpress/wordpress
2.0.9
wordpress/wordpress
2.0.10
... and 37 more
Published
Jan 21, 2014
Tracked Since
Feb 18, 2026