Privilege escalation vulnerabilities in WordPress allow attackers to access features that were intended for administrators only, RIPS Tech security researchers say.
An attacker with a user role as low as contributor on WordPress – the free and open-source content management system based on PHP and MySQL – could exploit the security bugs to create posts of post types they usually should not have access to.
The root cause of the issue is a logic flaw in the manner in which WordPress creates blog posts, the researchers say. This leads to a Stored XSS and Object Injection in the WordPress core, as well as to more severe vulnerabilities in the popular WordPress plugins Contact Form 7 and Jetpack.
