oss-sec mailing list archives

CVE Request -- WordPress (3,4.2): CSRF in the incoming links section of the dashboard

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 25 Sep 2012 08:46:31 -0400 (EDT)

Hello Kurt, Steve, WordPress Security Team, vendors,

  an anonymous researcher called 'Akastep' has reported
and CSRF flaw being present in the way WordPress of version
v3.4.2 and earlier used to process incoming links section /
widget of the dashboard.

References:

[1] http://packetstormsecurity.org/files/116785/WordPress-3.4.2-Cross-Site-Request-Forgery.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=860261
[3] https://bugs.gentoo.org/show_bug.cgi?id=436198
[4] https://secunia.com/advisories/50715/

AFAIK there is not an upstream ticket and patch for this issue
yet (but might have overlooked something pretty obvious - WordPress
upstream please clarify).

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- WordPress (3,4.2): CSRF in the incoming links section of the dashboard Jan Lieskovsky (Sep 25)
- Re: CVE Request -- WordPress (3,4.2): CSRF in the incoming links section of the dashboard Kurt Seifried (Sep 25)