Description
WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change.
References (4)
Core 4
Core References
Product x_refsource_confirm
http://core.trac.wordpress.org/query?status=closed&group=resolution&order=priority&milestone=3.0.1&resolution=fixed
Product x_refsource_confirm
http://codex.wordpress.org/Changelog/3.0.1
Exploit, Patch x_refsource_confirm
https://core.trac.wordpress.org/ticket/14119
Exploit, Patch x_refsource_confirm
https://core.trac.wordpress.org/changeset/15342
Scores
EPSS
0.0023
EPSS Percentile
45.8%
Details
CWE
CWE-264
Status
published
Products (46)
wordpress/wordpress
2.0
wordpress/wordpress
2.0.1
wordpress/wordpress
2.0.2
wordpress/wordpress
2.0.4
wordpress/wordpress
2.0.5
wordpress/wordpress
2.0.6
wordpress/wordpress
2.0.7
wordpress/wordpress
2.0.8
wordpress/wordpress
2.0.9
wordpress/wordpress
2.0.10
... and 36 more
Published
Jan 21, 2014
Tracked Since
Feb 18, 2026