Description
WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.
Remediation
References
Related Vulnerabilities
WordPress Plugin Photo Gallery by Ays-Responsive Image Gallery SQL Injection (4.4.3)
Apache Traffic Server Improper Input Validation Vulnerability (CVE-2021-37148)
PHP Resource Management Errors Vulnerability (CVE-2010-2225)
WordPress Plugin Meta Slider and Carousel with Lightbox Cross-Site Request Forgery (1.6.2)