CVE-2012-4421

The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.

Published: Sep 14, 2012
Updated: Apr 13, 2023
CVE: CVE-2012-4421
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
WordPress / wordpress	3.0.5	3.0.5.x
WordPress / wordpress	2.8.5.2	2.8.5.2.x
WordPress / wordpress	1.2.3	1.2.3.x
WordPress / wordpress	3.4.0	3.4.0.x
WordPress / wordpress	2.0.11	2.0.11.x
WordPress / wordpress	1.3.3	1.3.3.x
WordPress / wordpress	2.8.6	2.8.6.x
WordPress / wordpress	2.0	2.0.x
WordPress / wordpress	2.1.1	2.1.1.x
WordPress / wordpress	2.2.3	2.2.3.x
WordPress / wordpress	2.0.2	2.0.2.x
WordPress / wordpress	2.1	2.1.x
WordPress / wordpress	1.1.1	1.1.1.x
WordPress / wordpress	1.2.4	1.2.4.x
WordPress / wordpress	2.0.6	2.0.6.x
WordPress / wordpress	2.0.1	2.0.1.x
WordPress / wordpress	2.8.4	2.8.4.x
WordPress / wordpress	2.0.4	2.0.4.x
WordPress / wordpress	3.0.2	3.0.2.x
WordPress / wordpress	3.2.1	3.2.1.x
WordPress / wordpress	3.1.4	3.1.4.x
WordPress / wordpress	2.2	2.2.x
WordPress / wordpress	1.2.1	1.2.1.x
WordPress / wordpress	2.1.3	2.1.3.x
WordPress / wordpress	-	3.4.1.x
WordPress / wordpress	1.3.2	1.3.2.x
WordPress / wordpress	3.0	3.0.x
WordPress / wordpress	2.8	2.8.x
WordPress / wordpress	3.2	3.2.x
WordPress / wordpress	3.3.3	3.3.3.x
WordPress / wordpress	2.0.7	2.0.7.x
WordPress / wordpress	2.1.2	2.1.2.x
WordPress / wordpress	3.0.1	3.0.1.x
WordPress / wordpress	1.2.5-a	1.2.5-a.x
WordPress / wordpress	2.7.1	2.7.1.x
WordPress / wordpress	0.71	0.71.x
WordPress / wordpress	2.6.3	2.6.3.x
WordPress / wordpress	2.0.5	2.0.5.x
WordPress / wordpress	2.8.3	2.8.3.x
WordPress / wordpress	2.8.4-a	2.8.4-a.x
WordPress / wordpress	2.6.5	2.6.5.x
WordPress / wordpress	3.1.3	3.1.3.x
WordPress / wordpress	2.2.2	2.2.2.x
WordPress / wordpress	2.3.3	2.3.3.x
WordPress / wordpress	1.5.1.1	1.5.1.1.x
WordPress / wordpress	2.0.9	2.0.9.x
WordPress / wordpress	2.8.1	2.8.1.x
WordPress / wordpress	2.2.1	2.2.1.x
WordPress / wordpress	2.7	2.7.x
WordPress / wordpress	1.5.2	1.5.2.x
WordPress / wordpress	1.0.1	1.0.1.x
WordPress / wordpress	3.0.4	3.0.4.x
WordPress / wordpress	2.6.2	2.6.2.x
WordPress / wordpress	2.9	2.9.x
WordPress / wordpress	3.1	3.1.x
WordPress / wordpress	2.3.1	2.3.1.x
WordPress / wordpress	1.0.2	1.0.2.x
WordPress / wordpress	2.5.1	2.5.1.x
WordPress / wordpress	3.3.2	3.3.2.x
WordPress / wordpress	2.6.1	2.6.1.x
WordPress / wordpress	1.5.1.2	1.5.1.2.x
WordPress / wordpress	3.1.2	3.1.2.x
WordPress / wordpress	1.2	1.2.x
WordPress / wordpress	2.8.5.1	2.8.5.1.x
WordPress / wordpress	3.0.6	3.0.6.x
WordPress / wordpress	2.9.2	2.9.2.x
WordPress / wordpress	2.5	2.5.x
WordPress / wordpress	3.3.1	3.3.1.x
WordPress / wordpress	3.1.1	3.1.1.x
WordPress / wordpress	1.2.2	1.2.2.x
WordPress / wordpress	2.0.10	2.0.10.x
WordPress / wordpress	2.9.1	2.9.1.x
WordPress / wordpress	1.0	1.0.x
WordPress / wordpress	3.3	3.3.x
WordPress / wordpress	1.5	1.5.x
WordPress / wordpress	2.8.2	2.8.2.x
WordPress / wordpress	1.5.1	1.5.1.x
WordPress / wordpress	1.2.5	1.2.5.x
WordPress / wordpress	3.0.3	3.0.3.x
WordPress / wordpress	1.5.1.3	1.5.1.3.x
WordPress / wordpress	2.9.1.1	2.9.1.1.x
WordPress / wordpress	2.3.2	2.3.2.x
WordPress / wordpress	1.3	1.3.x
WordPress / wordpress	2.6	2.6.x
WordPress / wordpress	2.8.5	2.8.5.x
WordPress / wordpress	2.0.8	2.0.8.x
WordPress / wordpress	2.3	2.3.x

Vulnerability Database

289,689

CVE-2012-4421