CVE request: WordPress plugin uk-cookie CSRF

[Henri Salo <henri () nerv fi>]

Hello,

While reproducing CVE-2012-5856[1][2] I noticed there is CSRF security
vulnerability in uk-cookie plugin and abusing it attacker can insert XSS to
front page of WordPress installation. Version 1.1 is the latest and I did not
test older versions. OSVDB item[3] should be updated. Plugin is currently
disabled in WordPress plugin repository so vendor URL is currently 404.

PoC: https://github.com/wpscanteam/wpscan/issues/184#issuecomment-19038566
Product: Uk Cookie Plugin for WordPress
Vendor URL: http://wordpress.org/plugins/uk-cookie/
Vendor SVN: http://plugins.svn.wordpress.org/uk-cookie/trunk/
Vulnerability Type: CWE-352
Vulnerable Versions: 1.1 and probably earlier
Fixed Version: N/A

Kurt, could you assign CVE-identifier for CSRF vulnerability, thanks.

1: http://seclists.org/bugtraq/2012/Nov/50
2: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5856
3: http://osvdb.org/87561

Similar plugins are available: http://wordpress.org/plugins/uk-cookie-consent/

--
Qentinel, Henri Salo
http://www.qentinel.com/en/

Attachment: signature.asc
Description: Digital signature