ThreatPress

WordPress Vulnerabilities Database

Back

WordPress <= 3.0.1 - BYPASS

Product
WordPress
Description
wp-includes/capabilities.php does not require the Super Admin role for the delete_users capability that allows remote authenticated administrators to bypass intended access restrictions via a delete action.
Solution
Update WordPress.
Classification
Type BYPASS
References
CVE Mitre
CVE
Name CVE-2010-5296
Versions
Affected In <= 3.0.1
Fixed In 3.0.2
Disclosure date
2014-01-20
Credits
nacin