CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
EPSS
Percentile
56.0%
The create_post function in wp-includes/class-wp-atom-server.php in
WordPress before 3.4.2 does not perform a capability check, which allows
remote authenticated users to bypass intended access restrictions and
publish new posts by leveraging the Contributor role and using the Atom
Publishing Protocol (aka AtomPub) feature.
codex.wordpress.org/Version_3.4.2
core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_path=%2Ftags%2F3.4.2&new=21780#file2
openwall.com/lists/oss-security/2012/09/13/4
launchpad.net/bugs/cve/CVE-2012-4421
nvd.nist.gov/vuln/detail/CVE-2012-4421
security-tracker.debian.org/tracker/CVE-2012-4421
www.cve.org/CVERecord?id=CVE-2012-4421