Opened 6 months ago
Closed 6 months ago
#23004 closed defect (bug) (invalid)
Editor CSRF vulnerabilities discovered
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Security | Version: | 3.5 |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Reproduce
- Login as a user with writer(or editor) privileges. -> example) user name "test", user id = 2
- Input syntax visual editor below.
<img src="http://localhost/wp-admin/users.php?s=&_wponce=7258002722&_wp_http_referer=%2Fwp-admin%2Fusers.php%3Fupdate%3Dpromote&action=-1&new_role=administrator&changeit=%EB%B3%80%EA%B2%BD&paged=1&users%5B%5D=2&action2=-1" alt="" />
Parameters passed to the user number users%5B%5D=2
- Login as a user with administrator privileges. -> example) username "admin", user id 1
- user "admin" view post written in step 2.
- user "admin" can check the xbox image
- user "test" to gain administrator privileges
Attachments will be added
Change History (3)
comment:2
drssay
— 6 months ago
Sorry, I see.
I send detail vulnerablities to email address security_AT_wordpress.org
comment:3
SergeyBiryukov
— 6 months ago
- Component changed from General to Security
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Severity changed from critical to normal
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
Where did you get the value "7258002722" for the _wpnonce parameter from?
Copy/paste from a session when you where logged in as admin? That doesn't count then.
And: Next time please do not report security vulnerabilities here, but by following the instructions at http://codex.wordpress.org/FAQ_Security