oss-sec mailing list archives
Re: CVE request: WordPress plugin uk-cookie CSRF
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 13 Jun 2013 17:57:32 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/06/2013 11:44 AM, Henri Salo wrote:
Hello, While reproducing CVE-2012-5856[1][2] I noticed there is CSRF security vulnerability in uk-cookie plugin and abusing it attacker can insert XSS to front page of WordPress installation. Version 1.1 is the latest and I did not test older versions. OSVDB item[3] should be updated. Plugin is currently disabled in WordPress plugin repository so vendor URL is currently 404. PoC: https://github.com/wpscanteam/wpscan/issues/184#issuecomment-19038566
Product: Uk Cookie Plugin for WordPress
Vendor URL: http://wordpress.org/plugins/uk-cookie/ Vendor SVN: http://plugins.svn.wordpress.org/uk-cookie/trunk/ Vulnerability Type: CWE-352 Vulnerable Versions: 1.1 and probably earlier Fixed Version: N/A Kurt, could you assign CVE-identifier for CSRF vulnerability, thanks. 1: http://seclists.org/bugtraq/2012/Nov/50 2: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5856 3: http://osvdb.org/87561 Similar plugins are available: http://wordpress.org/plugins/uk-cookie-consent/ -- Qentinel, Henri Salo http://www.qentinel.com/en/
Please use CVE-2013-2180 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRulxsAAoJEBYNRVNeJnmTEDMP/2oKFX6X2D4pjglDAKmyqZOq vNnQhX77xYDvjfi4VkDfDRk+Ja3v9VWP4oA/sF5GkHGQq2wdUWzTztvz92GY7vB+ eKYr9rJb47wUt4wwPSzP6xMBIP2fzpA8Znl4UiNhJKsCPLEgc4tNq2qeIJGv8Izd 1FM4pqyZaiGaADvSuwY5CcH+3CmJlmkaufr9b8OV1AB/S5TMiDUZuTUTdvtXVy0J Np0yiRESrp1qRbALTS3cFteSWRFMiowfha3WzOXQRwfVoQaRZw2n2b8PqRuF/saf cRsBI/5hKigD9NwaGPsdRk/MHVar77dC+/87XJF1OVjcY1W5V7qQyG+9I4aIkJ2n 2591jL9lkgVRanuc73lZY1sGT6UvjE2g6fNXGzzx9UpoCr7WLUPanJ83WXObdMzF TdHrDXCoVGJQbsCM9Ar94tDPbV32tEdEzxVLkZOMpniJUk4/ZN6ihKMHiiVBaiwu 7owPdBHhbW56MXZbTRfEB+mOuJ2e/gYfFbXw+DzvivzynOAuoFZJ88ylO7K7Gdgv PPR8nYui7mPv2tQLkgcfv7jgmRsq+BfOfm1nkYdd/DvImggCz6TvG9qDY1cvz/wk Hvc0hlyFXyuwT3B202t+GkAFV1JzGggLD4jgYBPoupaqDjHRJWqQIk+blAguW56G HJ9H3jNuSimcj6s+VRU3 =lS9g -----END PGP SIGNATURE-----
Current thread:
- CVE request: WordPress plugin uk-cookie CSRF Henri Salo (Jun 06)
- Re: CVE request: WordPress plugin uk-cookie CSRF Kurt Seifried (Jun 13)