9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
wordpress is vulnerable to privilege escalation. Using XML-RPC allows an unprivileged user to comment on a post as wp-includes/class-wp-xmlrpc-server.php
does not enforce the permission to restrict it.
github.com/WordPress/wordpress-develop/commit/c9e6b98968025b1629015998d12c3102165a7d32
github.com/WordPress/WordPress/commit/fcc970a1cf82bc90ad83c8e609691f86c7038135
lists.debian.org/debian-lts-announce/2020/11/msg00004.html
lists.fedoraproject.org/archives/list/[email protected]/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3/
lists.fedoraproject.org/archives/list/[email protected]/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244/
lists.fedoraproject.org/archives/list/[email protected]/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y/
wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/
wpscan.com/vulnerability/10449
www.debian.org/security/2020/dsa-4784
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P