Two security issues and a vulnerability have been reported in WordPress, which can potentially be exploited by malicious users to bypass certain security restrictions and conduct script insertion attacks.
1) The application does not properly restrict the publishing of posts when using AtomPub and can be exploited by otherwise restricted user groups to publish posts.
Successful exploitation of this security issue requires that AtomPub is enabled (disabled by default).
2) The application does not properly restrict activation of network administrator installed network-wide plugins within a multisite deployment and can be exploited by site administrators to activate network-wide plugins.
Successful exploitation of this security issue requires plugin management rights for site administrators within a multisite deployment (not granted by default).
3) An error in checking user capabilities in multisite installations can be exploited by site administrators and editors to insert arbitrary HTML and script code into posts, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
The security issues and the vulnerability are reported in versions prior to 3.4.2.
Solution: Update to version 3.4.2.
Provided and/or discovered by: Reported by the vendor.
Original Advisory: http://wordpress.org/news/2012/09/wordpress-3-4-2/
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: WordPress Security Bypass Security Issues and Script Insertion Vulnerability
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.