VIR Vulnerability Intelligence Relay

CVE-2012-4422

low
Published 2012-09-14 · Modified 2026-04-29
CVSS v3
CVSS v2
3.5
VIR risk
3.5

Description

wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2012-4422

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_path=%2Ftags%2F3.4.2&new=21780#file42

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed3.4.2+dfsg-1
debian debianbullseyefixed3.4.2+dfsg-1
debian debianforkyfixed3.4.2+dfsg-1
debian debiansidfixed3.4.2+dfsg-1
debian debiantrixiefixed3.4.2+dfsg-1

Application impact
VendorProductVersionsFixed
wordpresswordpress{"endIncluding":"3.4.1"}
wordpresswordpress0.71
wordpresswordpress1.0
wordpresswordpress1.0.1
wordpresswordpress1.0.2
wordpresswordpress1.1.1
wordpresswordpress1.2
wordpresswordpress1.2.1
wordpresswordpress1.2.2
wordpresswordpress1.2.3
wordpresswordpress1.2.4
wordpresswordpress1.2.5
wordpresswordpress1.3
wordpresswordpress1.3.2
wordpresswordpress1.3.3
wordpresswordpress1.5
wordpresswordpress1.5.1
wordpresswordpress1.5.1.1
wordpresswordpress1.5.1.2
wordpresswordpress1.5.1.3
wordpresswordpress1.5.2
wordpresswordpress2.0
wordpresswordpress2.0.1
wordpresswordpress2.0.2
wordpresswordpress2.0.4
wordpresswordpress2.0.5
wordpresswordpress2.0.6
wordpresswordpress2.0.7
wordpresswordpress2.0.8
wordpresswordpress2.0.9
wordpresswordpress2.0.10
wordpresswordpress2.0.11
wordpresswordpress2.1
wordpresswordpress2.1.1
wordpresswordpress2.1.2
wordpresswordpress2.1.3
wordpresswordpress2.2
wordpresswordpress2.2.1
wordpresswordpress2.2.2
wordpresswordpress2.2.3
wordpresswordpress2.3
wordpresswordpress2.3.1
wordpresswordpress2.3.2
wordpresswordpress2.3.3
wordpresswordpress2.5
wordpresswordpress2.5.1
wordpresswordpress2.6
wordpresswordpress2.6.1
wordpresswordpress2.6.2
wordpresswordpress2.6.3
wordpresswordpress2.6.5
wordpresswordpress2.7
wordpresswordpress2.7.1
wordpresswordpress2.8
wordpresswordpress2.8.1
wordpresswordpress2.8.2
wordpresswordpress2.8.3
wordpresswordpress2.8.4
wordpresswordpress2.8.5
wordpresswordpress2.8.5.1
wordpresswordpress2.8.5.2
wordpresswordpress2.8.6
wordpresswordpress2.9
wordpresswordpress2.9.1
wordpresswordpress2.9.1.1
wordpresswordpress2.9.2
wordpresswordpress3.0
wordpresswordpress3.0.1
wordpresswordpress3.0.2
wordpresswordpress3.0.3
wordpresswordpress3.0.4
wordpresswordpress3.0.5
wordpresswordpress3.0.6
wordpresswordpress3.1
wordpresswordpress3.1.1
wordpresswordpress3.1.2
wordpresswordpress3.1.3
wordpresswordpress3.1.4
wordpresswordpress3.2
wordpresswordpress3.2.1
wordpresswordpress3.3
wordpresswordpress3.3.1
wordpresswordpress3.3.2
wordpresswordpress3.3.3
wordpresswordpress3.4.0

References

CWEs

CWE-264

Verify integrity in audit chain (admin only). AS-IS.