CVE-2012-3383

WordPress 3.4.x - Authenticated Cross-Site Scripting via Unfiltered HTML Capability

Title source: llm

Description

The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text.

References (7)

Core 7

Core References

Product x_refsource_misc

http://core.trac.wordpress.org/changeset?reponame=&new=21153%40branches%2F3.4&old=21076%40trunk#file16

Product x_refsource_confirm

http://codex.wordpress.org/Version_3.4.2

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2012/07/08/1

Product x_refsource_confirm

http://codex.wordpress.org/Version_3.4.1

Mailing List mailing-list x_refsource_mlist

http://openwall.com/lists/oss-security/2012/09/12/17

Product x_refsource_confirm

http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_path=%2Ftags%2F3.4.2&new=21780#file23

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2012/07/02/1

Scores

EPSS 0.0015

EPSS Percentile 35.6%

Details

CWE

CWE-264

Status published

Products (1)

wordpress/wordpress 3.4.0

Published Jul 22, 2012

Tracked Since Feb 18, 2026