Description
WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.
Remediation
References
Related Vulnerabilities
PHP Resource Management Errors Vulnerability (CVE-2011-1148)
MediaWiki Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2023-45369)
WordPress 4.1.x Same Origin Method Execution (SOME) Vulnerability (4.1 - 4.1.10)
WordPress Plugin Advanced Forms for ACF Pro Security Bypass (1.6.8)
WordPress Plugin WOOCS-Currency Switcher for WooCommerce Professional Cross-Site Scripting (1.3.7.4)