Full Disclosure mailing list archives
Re: Question about disclosure of WordPress plugin vulnerabilities
From: Andrew Farmer <andfarm () gmail com>
Date: Mon, 29 Aug 2011 13:07:55 -0700
On 2011-08-26, at 05:08, Miroslav Stampar wrote:
Does anybody know what's the general opinion on disclosure of WordPress plugin vulnerabilities in these two sections:
<...>
2) admin ones (requires access to the restricted admin area)
If you need full admin access to run the exploit, you probably have enough access that you could get arbitrary code execution by installing a plugin, like: http://wordpress.org/extend/plugins/wordpress-console/ So the "exploit" isn't really doing much at that point, unless it can be triggered remotely (e.g, CSRF). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Question about disclosure of WordPress plugin vulnerabilities Miroslav Stampar (Aug 26)
- Re: Question about disclosure of WordPress plugin vulnerabilities Andrew Farmer (Aug 29)