[closed] Contributors can able to publish posts (7 posts)

  1. Devesh
    Posted 5 years ago #

    Hello there,

    I found a bug/issue with WordPress last update. Anyone who is registered as contributor can easily able to publish a post.

    I've seen many blogs has been infected with this.

    Here is one of that blog - [Link removed]


  2. esmi
    Forum Moderator
    Posted 5 years ago #

    If you think you've found a security problem in WordPress, please see the Security FAQ for information on reporting the problem.

  3. Andrew Nacin
    Lead Developer
    Posted 5 years ago #

    Can't reproduce, but would appreciate an email to security@wordpress.org if you think you can.

  4. Devesh
    Posted 5 years ago #

    I've sent an email to security@wordpress.org.

    Though here is an article about that contributor post issue.

  5. Emil Uzelac
    Theme Review Admin
    Posted 5 years ago #

    Wasn't this fixed in 3.0.5 version?

    Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.

  6. Andrew Nacin
    Lead Developer
    Posted 5 years ago #

    Most likely not, but it's possible.

    I'm closing this thread as it should be handled through proper channels. A note, emailing security@, but then publishing a thread that has nothing to back up your claims, goes against the concept of responsible disclosure. We have this procedure in place in part to prevent panic and in-the-wild 0day exploits (which I don't think this is currently).

  7. Andrew Nacin
    Lead Developer
    Posted 5 years ago #

    This vulnerability was fixed in WordPress 3.1.2.

Topic Closed

This topic has been closed to new replies.

About this Topic