CVE-2015-5623

Name	CVE-2015-5623
Description	WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-3328-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
wordpress (PTS)	buster	5.0.15+dfsg1-0+deb10u1	fixed
	buster (security)	5.0.20+dfsg1-0+deb10u1	fixed
	bullseye (security), bullseye	5.7.8+dfsg1-0+deb11u2	fixed
	bookworm	6.1.1+dfsg1-1	fixed
	trixie	6.3.2+dfsg1-1	fixed
	sid	6.4.1+dfsg1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
wordpress	source	squeeze	(not affected)
wordpress	source	wheezy	(not affected)
wordpress	source	jessie	4.1+dfsg-1+deb8u2	DSA-3328-1
wordpress	source	(unstable)	4.2.3+dfsg-1

Notes

[wheezy] - wordpress <not-affected> (Vulnerable code not present)
[squeeze] - wordpress <not-affected> (Vulnerable code not present)
https://core.trac.wordpress.org/changeset/33357