Title: WordPress 'get_edit_post_link()' & 'get_edit_comment_link()' Multiple Eavesdropping Vulnerabilities
Severity: MODERATE
Description:
WordPress is a web-based publishing application implemented in PHP.
WordPress is prone to multiple eavesdropping vulnerabilities because the 'get_edit_post_link()' and 'get_edit_comment_link()' functions fail to use SSL when transmitting data. The affected functions are being used for administrative purposes.
Successfully exploiting this issue will allow attackers to obtain sensitive information and possibly to impersonate users and tamper with network data.
Versions prior to WordPress 2.6.1 are vulnerable.
Affected Products:
- WordPress WordPress 2.0.0
- WordPress WordPress 2.0.1
- WordPress WordPress 2.0.10
- WordPress WordPress 2.0.10-RC1
- WordPress WordPress 2.0.10-RC2
- WordPress WordPress 2.0.11
- WordPress WordPress 2.0.2
- WordPress WordPress 2.0.3
- WordPress WordPress 2.0.4
- WordPress WordPress 2.0.5
- WordPress WordPress 2.0.6
- WordPress WordPress 2.0.7
- WordPress WordPress 2.1
- WordPress WordPress 2.1.1
- WordPress WordPress 2.1.2
- WordPress WordPress 2.1.3
- WordPress WordPress 2.1.3
- WordPress WordPress 2.1.3-RC1
- WordPress WordPress 2.1.3-RC2
- WordPress WordPress 2.2
- WordPress WordPress 2.2 Revision 5002
- WordPress WordPress 2.2 Revision 5003
- WordPress WordPress 2.2.1
- WordPress WordPress 2.2.1
- WordPress WordPress 2.2.2
- WordPress WordPress 2.2.3
- WordPress WordPress 2.3
- WordPress WordPress 2.3.1
- WordPress WordPress 2.3.2
- WordPress WordPress 2.3.3
- WordPress WordPress 2.5
- WordPress WordPress 2.5.1
- WordPress WordPress 2.6
- WordPress WordPress 2.6.1
References:
- WordPress: WordPress Homepage
- Robert Accettura: get_edit_post_link() and get_edit_comment_link() don't use SSL when they should