Launchpad.net

CVE 2012-4421

The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.

Related bugs and status

CVE-2012-4421 (Candidate) is related to these bugs:

Bug #1221040: Sync wordpress 3.6.1 (universe) from Debian stable-security

		In	Importance	Status
1221040	Sync wordpress 3.6.1 (universe) from Debian stable-security	wordpress (Ubuntu)	High	Fix Released
1221040	Sync wordpress 3.6.1 (universe) from Debian stable-security	wordpress (Ubuntu Precise)	High	Won't Fix
1221040	Sync wordpress 3.6.1 (universe) from Debian stable-security	wordpress (Ubuntu Quantal)	High	Won't Fix
1221040	Sync wordpress 3.6.1 (universe) from Debian stable-security	wordpress (Ubuntu Raring)	High	Won't Fix
1221040	Sync wordpress 3.6.1 (universe) from Debian stable-security	wordpress (Debian)	Unknown	Fix Released
1221040	Sync wordpress 3.6.1 (universe) from Debian stable-security	wordpress (Ubuntu Saucy)	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2012-4421

Related bugs and status

Related bugs

References