Red Hat Bugzilla – Bug 426431
Draft text access not restricted to administrators
Last modified: 2008-01-02 20:41:35 EST
From Gentoo bugzilla:
Michael Brooks has discovered a vulnerability in WordPress, which can be
exploited by malicious people to bypass certain security restrictions and to
disclose sensitive information.
The application does not properly restrict access to posted drafts to users
with valid administrator credentials. This can be exploited to read drafts by
accessing the index.php script with data in the "PATH_INFO" URL part ending
The vulnerability is confirmed in version 2.3.1. Other versions may also be
Do not post sensitive information as drafts.
This should be: http://trac.wordpress.org/ticket/5487
And is fixed with the wordpress 2.3.2 release.
Fixed in rawhide and stable update request have been made for F-7 and F-8.
wordpress-2.3.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
wordpress-2.3.2-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.