wordpress 3.3.2 clickjacking
|Reported by:||abysssec||Owned by:|
Description (last modified by nacin)
Wordpress Admin panel has x-frame-option which prevent clickjacking but in main page of blog no x-frame-option has been set, so it possible to trick him and make him to post a comment, using Clickjacking. As you may know admin can post comment with html and it is obvious by default this isn't dangerous, But as blog main page has no x-frame-option it is possible to make XSS of it and finally you can mix ClickJacking /XSS / HTTPOnly Disclosure to make a working exploit.
thanks Abysssec Team