Opened 13 years ago
Closed 13 years ago
#20593 closed defect (bug) (invalid)
wordpress 3.3.2 clickjacking
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | critical | Version: | |
| Component: | Gallery | Keywords: | |
| Focuses: | Cc: |
Description (last modified by )
Wordpress Admin panel has x-frame-option which prevent clickjacking but in main page of blog no x-frame-option has been set, so it possible to trick him and make him to post a comment, using Clickjacking. As you may know admin can post comment with html and it is obvious by default this isn't dangerous, But as blog main page has no x-frame-option it is possible to make XSS of it and finally you can mix ClickJacking /XSS / HTTPOnly Disclosure to make a working exploit.
thanks Abysssec Team
Change History (1)
Note: See
TracTickets for help on using
tickets.
In the future, please follow the instructions on the new ticket page:
Do not report potential security vulnerabilities here. Read the Security FAQ and email us at security@….
Feel free to email us and we will gladly communicate with you.