Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question about disclosure of WordPress plugin vulnerabilities

From: Andrew Farmer <andfarm () gmail com>
Date: Mon, 29 Aug 2011 13:07:55 -0700
On 2011-08-26, at 05:08, Miroslav Stampar wrote:

Does anybody know what's the general opinion on disclosure of
WordPress plugin vulnerabilities in these two sections:

<...>

2) admin ones (requires access to the restricted admin area)


If you need full admin access to run the exploit, you probably have enough access that you could get arbitrary code 
execution by installing a plugin, like:

http://wordpress.org/extend/plugins/wordpress-console/

So the "exploit" isn't really doing much at that point, unless it can be triggered remotely (e.g, CSRF).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: