CVE-2012-4421
First published: Fri Sep 14 2012(Updated: )
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WordPress | <=3.4.1 | |
| WordPress | =0.71 | |
| WordPress | =1.0 | |
| WordPress | =1.0.1 | |
| WordPress | =1.0.2 | |
| WordPress | =1.1.1 | |
| WordPress | =1.2 | |
| WordPress | =1.2.1 | |
| WordPress | =1.2.2 | |
| WordPress | =1.2.3 | |
| WordPress | =1.2.4 | |
| WordPress | =1.2.5 | |
| WordPress | =1.2.5-a | |
| WordPress | =1.3 | |
| WordPress | =1.3.2 | |
| WordPress | =1.3.3 | |
| WordPress | =1.5 | |
| WordPress | =1.5.1 | |
| WordPress | =1.5.1.1 | |
| WordPress | =1.5.1.2 | |
| WordPress | =1.5.1.3 | |
| WordPress | =1.5.2 | |
| WordPress | =2.0 | |
| WordPress | =2.0.1 | |
| WordPress | =2.0.2 | |
| WordPress | =2.0.4 | |
| WordPress | =2.0.5 | |
| WordPress | =2.0.6 | |
| WordPress | =2.0.7 | |
| WordPress | =2.0.8 | |
| WordPress | =2.0.9 | |
| WordPress | =2.0.10 | |
| WordPress | =2.0.11 | |
| WordPress | =2.1 | |
| WordPress | =2.1.1 | |
| WordPress | =2.1.2 | |
| WordPress | =2.1.3 | |
| WordPress | =2.2 | |
| WordPress | =2.2.1 | |
| WordPress | =2.2.2 | |
| WordPress | =2.2.3 | |
| WordPress | =2.3 | |
| WordPress | =2.3.1 | |
| WordPress | =2.3.2 | |
| WordPress | =2.3.3 | |
| WordPress | =2.5 | |
| WordPress | =2.5.1 | |
| WordPress | =2.6 | |
| WordPress | =2.6.1 | |
| WordPress | =2.6.2 | |
| WordPress | =2.6.3 | |
| WordPress | =2.6.5 | |
| WordPress | =2.7 | |
| WordPress | =2.7.1 | |
| WordPress | =2.8 | |
| WordPress | =2.8.1 | |
| WordPress | =2.8.2 | |
| WordPress | =2.8.3 | |
| WordPress | =2.8.4 | |
| WordPress | =2.8.4-a | |
| WordPress | =2.8.5 | |
| WordPress | =2.8.5.1 | |
| WordPress | =2.8.5.2 | |
| WordPress | =2.8.6 | |
| WordPress | =2.9 | |
| WordPress | =2.9.1 | |
| WordPress | =2.9.1.1 | |
| WordPress | =2.9.2 | |
| WordPress | =3.0 | |
| WordPress | =3.0.1 | |
| WordPress | =3.0.2 | |
| WordPress | =3.0.3 | |
| WordPress | =3.0.4 | |
| WordPress | =3.0.5 | |
| WordPress | =3.0.6 | |
| WordPress | =3.1 | |
| WordPress | =3.1.1 | |
| WordPress | =3.1.2 | |
| WordPress | =3.1.3 | |
| WordPress | =3.1.4 | |
| WordPress | =3.2 | |
| WordPress | =3.2.1 | |
| WordPress | =3.3 | |
| WordPress | =3.3.1 | |
| WordPress | =3.3.2 | |
| WordPress | =3.3.3 | |
| WordPress | =3.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2012-4421?
The severity of CVE-2012-4421 is considered high due to its potential for privilege escalation.
How do I fix CVE-2012-4421?
To fix CVE-2012-4421, upgrade to WordPress version 3.4.2 or later.
What systems are affected by CVE-2012-4421?
CVE-2012-4421 affects WordPress versions prior to 3.4.2, as well as several earlier versions.
What types of attacks are associated with CVE-2012-4421?
CVE-2012-4421 can allow remote authenticated users to bypass access restrictions and publish posts.
Who is most at risk due to CVE-2012-4421?
Users with the Contributor role in WordPress installations prior to version 3.4.2 are most at risk.
- agent/type
- agent/softwarecombine
- agent/author
- agent/references
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/wordpress
- canonical/wordpress
- version/wordpress/3.4.1
- version/wordpress/0.71
- version/wordpress/1.0
- version/wordpress/1.0.1
- version/wordpress/1.0.2
- version/wordpress/1.1.1
- version/wordpress/1.2
- version/wordpress/1.2.1
- version/wordpress/1.2.2
- version/wordpress/1.2.3
- version/wordpress/1.2.4
- version/wordpress/1.2.5
- version/wordpress/1.2.5-a
- version/wordpress/1.3
- version/wordpress/1.3.2
- version/wordpress/1.3.3
- version/wordpress/1.5
- version/wordpress/1.5.1
- version/wordpress/1.5.1.1
- version/wordpress/1.5.1.2
- version/wordpress/1.5.1.3
- version/wordpress/1.5.2
- version/wordpress/2.0
- version/wordpress/2.0.1
- version/wordpress/2.0.2
- version/wordpress/2.0.4
- version/wordpress/2.0.5
- version/wordpress/2.0.6
- version/wordpress/2.0.7
- version/wordpress/2.0.8
- version/wordpress/2.0.9
- version/wordpress/2.0.10
- version/wordpress/2.0.11
- version/wordpress/2.1
- version/wordpress/2.1.1
- version/wordpress/2.1.2
- version/wordpress/2.1.3
- version/wordpress/2.2
- version/wordpress/2.2.1
- version/wordpress/2.2.2
- version/wordpress/2.2.3
- version/wordpress/2.3
- version/wordpress/2.3.1
- version/wordpress/2.3.2
- version/wordpress/2.3.3
- version/wordpress/2.5
- version/wordpress/2.5.1
- version/wordpress/2.6
- version/wordpress/2.6.1
- version/wordpress/2.6.2
- version/wordpress/2.6.3
- version/wordpress/2.6.5
- version/wordpress/2.7
- version/wordpress/2.7.1
- version/wordpress/2.8
- version/wordpress/2.8.1
- version/wordpress/2.8.2
- version/wordpress/2.8.3
- version/wordpress/2.8.4
- version/wordpress/2.8.4-a
- version/wordpress/2.8.5
- version/wordpress/2.8.5.1
- version/wordpress/2.8.5.2
- version/wordpress/2.8.6
- version/wordpress/2.9
- version/wordpress/2.9.1
- version/wordpress/2.9.1.1
- version/wordpress/2.9.2
- version/wordpress/3.0
- version/wordpress/3.0.1
- version/wordpress/3.0.2
- version/wordpress/3.0.3
- version/wordpress/3.0.4
- version/wordpress/3.0.5
- version/wordpress/3.0.6
- version/wordpress/3.1
- version/wordpress/3.1.1
- version/wordpress/3.1.2
- version/wordpress/3.1.3
- version/wordpress/3.1.4
- version/wordpress/3.2
- version/wordpress/3.2.1
- version/wordpress/3.3
- version/wordpress/3.3.1
- version/wordpress/3.3.2
- version/wordpress/3.3.3
- version/wordpress/3.4.0