WordPress Privilege Escalation through Post Types
13 min read
17 Dec 2018
by
Simon Scannell
A logic flaw in the way WordPress created blog posts allowed attackers to access features only administrators were supposed to have (CVE-2018-20152).
This lead to a Stored XSS and Object Injection in the WordPress core and more severe vulnerabilities in WordPress’s most popular
plugins Contact Form 7 and Jetpack.