CVE-2013-2200

WordPress Core < 3.5.2 - Missing Authorization Checks

Severity Score

6.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors.

WordPress anteriores a v3.5.2 no gestionan de forma adecuada las capacidades de los roles, lo que permite a usuarios autenticados a evitar las restricciones de acceso impuestas en la publicación y la reasignación de los autores de la publicación a través de vectores no especificados.

A denial of service flaw was found in the way Wordpress, a blog tool and publishing platform, performed hash computation when checking password for password protected blog posts. A remote attacker could provide a specially-crafted input that, when processed by the password checking mechanism of Wordpress would lead to excessive CPU consumption. Inadequate SSRF protection for HTTP requests where the user can provide a URL can allow for attacks against the intranet and other sites. This is a continuation of work related to which was specific to SSRF in pingback requests and was fixed in 3.5.1. Inadequate checking of a user's capabilities could allow them to publish posts when their user role should not allow for it; and to assign posts to other authors. Inadequate escaping allowed an administrator to trigger a cross-site scripting vulnerability through the uploading of media files and plugins. The processing of an oEmbed response is vulnerable to an XXE. If the uploads directory is not writable, error message data returned via XHR will include a full path to the directory. Content Spoofing in the MoxieCode MoxiePlayer project. Cross-domain XSS in SWFUpload.

*Credits: Konstantin Kovshenin,Luke Bryan

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-02-19 CVE Reserved
2013-06-21 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-264: Permissions, Privileges, and Access Controls
CWE-862: Missing Authorization

CAPEC

References (4)

URL	Tag	Source
http://codex.wordpress.org/Version_3.5.2	X_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=976784	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://wordpress.org/news/2013/06/wordpress-3-5-2	2013-08-13
http://www.debian.org/security/2013/dsa-2718	2013-08-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				<= 3.5.1 Search vendor "Wordpress" for product "Wordpress" and version " <= 3.5.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				0.71 Search vendor "Wordpress" for product "Wordpress" and version "0.71"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.0 Search vendor "Wordpress" for product "Wordpress" and version "1.0"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.0.1 Search vendor "Wordpress" for product "Wordpress" and version "1.0.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.0.2 Search vendor "Wordpress" for product "Wordpress" and version "1.0.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.1.1 Search vendor "Wordpress" for product "Wordpress" and version "1.1.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.2 Search vendor "Wordpress" for product "Wordpress" and version "1.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.2.1 Search vendor "Wordpress" for product "Wordpress" and version "1.2.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.2.2 Search vendor "Wordpress" for product "Wordpress" and version "1.2.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.2.3 Search vendor "Wordpress" for product "Wordpress" and version "1.2.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.2.4 Search vendor "Wordpress" for product "Wordpress" and version "1.2.4"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.2.5 Search vendor "Wordpress" for product "Wordpress" and version "1.2.5"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.2.5 Search vendor "Wordpress" for product "Wordpress" and version "1.2.5"		a		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.3 Search vendor "Wordpress" for product "Wordpress" and version "1.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.3.2 Search vendor "Wordpress" for product "Wordpress" and version "1.3.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.3.3 Search vendor "Wordpress" for product "Wordpress" and version "1.3.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.5 Search vendor "Wordpress" for product "Wordpress" and version "1.5"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.5.1 Search vendor "Wordpress" for product "Wordpress" and version "1.5.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.5.1.1 Search vendor "Wordpress" for product "Wordpress" and version "1.5.1.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.5.1.2 Search vendor "Wordpress" for product "Wordpress" and version "1.5.1.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.5.1.3 Search vendor "Wordpress" for product "Wordpress" and version "1.5.1.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.5.2 Search vendor "Wordpress" for product "Wordpress" and version "1.5.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				1.6.2 Search vendor "Wordpress" for product "Wordpress" and version "1.6.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.0 Search vendor "Wordpress" for product "Wordpress" and version "2.0"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.0.1 Search vendor "Wordpress" for product "Wordpress" and version "2.0.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.0.2 Search vendor "Wordpress" for product "Wordpress" and version "2.0.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.0.4 Search vendor "Wordpress" for product "Wordpress" and version "2.0.4"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.0.5 Search vendor "Wordpress" for product "Wordpress" and version "2.0.5"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.0.6 Search vendor "Wordpress" for product "Wordpress" and version "2.0.6"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.0.7 Search vendor "Wordpress" for product "Wordpress" and version "2.0.7"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.0.8 Search vendor "Wordpress" for product "Wordpress" and version "2.0.8"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.0.9 Search vendor "Wordpress" for product "Wordpress" and version "2.0.9"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.0.10 Search vendor "Wordpress" for product "Wordpress" and version "2.0.10"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.0.11 Search vendor "Wordpress" for product "Wordpress" and version "2.0.11"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.1 Search vendor "Wordpress" for product "Wordpress" and version "2.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.1.1 Search vendor "Wordpress" for product "Wordpress" and version "2.1.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.1.2 Search vendor "Wordpress" for product "Wordpress" and version "2.1.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.1.3 Search vendor "Wordpress" for product "Wordpress" and version "2.1.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.2 Search vendor "Wordpress" for product "Wordpress" and version "2.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.2.1 Search vendor "Wordpress" for product "Wordpress" and version "2.2.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.2.2 Search vendor "Wordpress" for product "Wordpress" and version "2.2.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.2.3 Search vendor "Wordpress" for product "Wordpress" and version "2.2.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.3 Search vendor "Wordpress" for product "Wordpress" and version "2.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.3.1 Search vendor "Wordpress" for product "Wordpress" and version "2.3.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.3.2 Search vendor "Wordpress" for product "Wordpress" and version "2.3.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.3.3 Search vendor "Wordpress" for product "Wordpress" and version "2.3.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.5 Search vendor "Wordpress" for product "Wordpress" and version "2.5"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.5.1 Search vendor "Wordpress" for product "Wordpress" and version "2.5.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.6 Search vendor "Wordpress" for product "Wordpress" and version "2.6"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.6.1 Search vendor "Wordpress" for product "Wordpress" and version "2.6.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.6.2 Search vendor "Wordpress" for product "Wordpress" and version "2.6.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.6.3 Search vendor "Wordpress" for product "Wordpress" and version "2.6.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.6.5 Search vendor "Wordpress" for product "Wordpress" and version "2.6.5"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.7 Search vendor "Wordpress" for product "Wordpress" and version "2.7"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.7.1 Search vendor "Wordpress" for product "Wordpress" and version "2.7.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.8 Search vendor "Wordpress" for product "Wordpress" and version "2.8"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.8.1 Search vendor "Wordpress" for product "Wordpress" and version "2.8.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.8.2 Search vendor "Wordpress" for product "Wordpress" and version "2.8.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.8.3 Search vendor "Wordpress" for product "Wordpress" and version "2.8.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.8.4 Search vendor "Wordpress" for product "Wordpress" and version "2.8.4"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.8.4 Search vendor "Wordpress" for product "Wordpress" and version "2.8.4"		a		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.8.5 Search vendor "Wordpress" for product "Wordpress" and version "2.8.5"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.8.5.1 Search vendor "Wordpress" for product "Wordpress" and version "2.8.5.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.8.5.2 Search vendor "Wordpress" for product "Wordpress" and version "2.8.5.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.8.6 Search vendor "Wordpress" for product "Wordpress" and version "2.8.6"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.9 Search vendor "Wordpress" for product "Wordpress" and version "2.9"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.9.1 Search vendor "Wordpress" for product "Wordpress" and version "2.9.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.9.1.1 Search vendor "Wordpress" for product "Wordpress" and version "2.9.1.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				2.9.2 Search vendor "Wordpress" for product "Wordpress" and version "2.9.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				3.3 Search vendor "Wordpress" for product "Wordpress" and version "3.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				3.3.1 Search vendor "Wordpress" for product "Wordpress" and version "3.3.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				3.3.2 Search vendor "Wordpress" for product "Wordpress" and version "3.3.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				3.3.3 Search vendor "Wordpress" for product "Wordpress" and version "3.3.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				3.4.0 Search vendor "Wordpress" for product "Wordpress" and version "3.4.0"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				3.4.1 Search vendor "Wordpress" for product "Wordpress" and version "3.4.1"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				3.4.2 Search vendor "Wordpress" for product "Wordpress" and version "3.4.2"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				3.5.0 Search vendor "Wordpress" for product "Wordpress" and version "3.5.0"		-		Affected