id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses 10294,CSRF through the img tag,SaltwaterC,ryan,"The filtered HTML should be more ... well, filtered. Although Since WordPress 2.8 you can't do CSRF with a link like this: http://example.com/?logout=true&action=logout (where example.com holds a WP installation) because the logout requires the _wpnonce parameter to be specified into the GET request (2.7.1 has this issue), the installation is still vulnerable to this type of CSRF against other sites. While this kind of stuff is mostly annoying (as example within a blog's post), it can be used for more severe actions. I didn't started with the ""filtered HTML"" state by accident. This kind of vulnerability can be triggered by blog users who actually have lower privileges, thus using the filtered HTML feature which turns out to be inefficient for this kind of issue.",defect (bug),closed,normal,,Security,,normal,invalid,,,