WordPress.org

Make WordPress Core

#23004 closed defect (bug) (invalid)

Editor CSRF vulnerabilities discovered

Reported by: drssay Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.5
Component: Security Keywords:
Focuses: Cc:

Description

Reproduce

  1. Login as a user with writer(or editor) privileges. -> example) user name "test", user id = 2
  2. Input syntax visual editor below.
<img src="http://localhost/wp-admin/users.php?s=&_wponce=7258002722&_wp_http_referer=%2Fwp-admin%2Fusers.php%3Fupdate%3Dpromote&action=-1&new_role=administrator&changeit=%EB%B3%80%EA%B2%BD&paged=1&users%5B%5D=2&action2=-1" alt="" />

Parameters passed to the user number users%5B%5D=2

  1. Login as a user with administrator privileges. -> example) username "admin", user id 1
  2. user "admin" view post written in step 2.
  3. user "admin" can check the xbox image
  4. user "test" to gain administrator privileges

Attachments will be added

Change History (3)

comment:1 TobiasBg19 months ago

Where did you get the value "7258002722" for the _wpnonce parameter from?

Copy/paste from a session when you where logged in as admin? That doesn't count then.

And: Next time please do not report security vulnerabilities here, but by following the instructions at http://codex.wordpress.org/FAQ_Security

comment:2 drssay19 months ago

Sorry, I see.
I send detail vulnerablities to email address security_AT_wordpress.org

comment:3 SergeyBiryukov19 months ago

  • Component changed from General to Security
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.