WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#20593 closed defect (bug) (invalid)

wordpress 3.3.2 clickjacking

Reported by: abysssec Owned by:
Milestone: Priority: normal
Severity: critical Version:
Component: Gallery Keywords:
Focuses: Cc:

Description (last modified by nacin)

Wordpress Admin panel has x-frame-option which prevent clickjacking but in main page of blog no x-frame-option has been set, so it possible to trick him and make him to post a comment, using Clickjacking. As you may know admin can post comment with html and it is obvious by default this isn't dangerous, But as blog main page has no x-frame-option it is possible to make XSS of it and finally you can mix ClickJacking /XSS / HTTPOnly Disclosure to make a working exploit.

thanks Abysssec Team

Change History (1)

comment:1 nacin2 years ago

  • Description modified (diff)
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

In the future, please follow the instructions on the new ticket page:

Do not report potential security vulnerabilities here. Read the Security FAQ and email us at security@….

Feel free to email us and we will gladly communicate with you.

Note: See TracTickets for help on using tickets.