Permissions, Privileges, and Access Controls in WordPress
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2010-5106 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
WordPress Web applications / CMS |
| Vendor | WordPress.ORG |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU43514
Risk: Low
CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-5106
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role.
MitigationInstall update from vendor's website.
Vulnerable software versionsWordPress: 0.71 - 3.0.1
CPE2.3- cpe:2.3:a:wordpress_org:wordpress:0.71:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:2.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:2.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress_org:wordpress:3.0.1:*:*:*:*:*:*:*
http://codex.wordpress.org/Version_3.0.3
http://core.trac.wordpress.org/changeset/16803
http://openwall.com/lists/oss-security/2012/09/14/10
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
