Unauthorized Access to Draft and Private Posts via Modified Attachment ID in WordPress Media Uploader

Unauthorized Access to Draft and Private Posts via Modified Attachment ID in WordPress Media Uploader

CVE-2011-0701 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:N/A:N

wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter.

Learn more about our Wordpress Pen Testing.