CVE-2012-4421
WordPress < 3.4.2 - Authenticated Post Publication via Atom Publishing Protocol
Title source: llmDescription
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.
References (3)
Core 3
Core References
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2012/09/13/4
Exploit, Patch x_refsource_confirm
http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_path=%2Ftags%2F3.4.2&new=21780#file2
Product x_refsource_confirm
http://codex.wordpress.org/Version_3.4.2
Scores
EPSS
0.0020
EPSS Percentile
42.4%
Details
CWE
CWE-264
Status
published
Products (49)
wordpress/wordpress
0.71
wordpress/wordpress
1.0
wordpress/wordpress
1.0.1
wordpress/wordpress
1.0.2
wordpress/wordpress
1.1.1
wordpress/wordpress
1.2
wordpress/wordpress
1.2.1
wordpress/wordpress
1.2.2
wordpress/wordpress
1.2.3
wordpress/wordpress
1.2.4
... and 39 more
Published
Sep 14, 2012
Tracked Since
Feb 18, 2026