CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
77.8%
The (1) get_edit_post_link and (2) get_edit_comment_link functions in
wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL
communication in the intended situations, which might allow remote
attackers to gain administrative access by sniffing the network for a
cookie.
Author | Note |
---|---|
jdstrand | per upstream via stefanlsd, SSL functionality doesn’t exist before 2.6.0. However, Debian is trying to backport the SSL functionality, believing that lack of SSL is an extension of this CVE. stefanlsd and upstream feel that this approach is dangerous and messy. It has been marked as Won’t Fix in LP, but can be reopened if the Debian patch is viable. Debian patch is included in 2.5.1-6 (broken) and 2.5.1-7 |