garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Created CVE-2014-0165 (markdown)

Ryan Dewhurst
2014-04-09 13:50:42 -07:00
parent 9f3ff170ec
commit 7070b039c5
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
CVE-2014-0165.md Normal file

@@ -0,0 +1,9 @@
Using the bulk edit feature you can publish posts and pages PUBLICLY without the publishing-cap. The problem is that there are no checks for publishing-cap's on serverside. It's only protected in UI.
How to reproduce:
1. Login as contributor
2. Create a draft post
3. Mark the draft in post list and open the bulk edit form
4. Make use of tools like Firebug to change a value in the status dropdown. You have to set the value of an entry to 'publish'
5. Select the changed status entry
6. Push the button and welcome to the next level