Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#4811 closed defect (bug) (fixed)

CSRF & XSS on some importers

Reported by: xknown Owned by:
Milestone: 2.3 Priority: high
Severity: major Version: 2.3
Component: Security Keywords: has-patch commit
Focuses: Cc:


On trunk, Ultimate Tag Warrior and Category to Tag Converter are vulnerable to CSRF and XSS.

Proof of Concepts

  1. CSRF: Convert all categories to tags without user confirmation. http://localhost/wp/wp-admin/admin.php?import=wp-cat2tag&step=4

  1. XSS: Someone has commited code to debug wp-cat2tag converter:
    echo '<!--'; print_r($_POST); print_r($_GET); echo '-->';
    It allows XSS attacks:

Attachments (1)

importers.diff (2.6 KB) - added by xknown 8 years ago.
Avoid CSRF and XSS on some importers

Download all attachments as: .zip

Change History (3)

@xknown8 years ago

Avoid CSRF and XSS on some importers

comment:1 @rob1n8 years ago

  • Keywords has-patch commit added
  • Milestone set to 2.3
  • Priority changed from normal to high
  • Severity changed from normal to major

I'm partially to blame for the UTW importer (didn't check it over before committing) and wholly to blame for the second one (bad coding).

+2 to the patch.

comment:2 @ryan8 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [5941]) Add nonces to tag importers. Props xknown. fixes #4811

Note: See TracTickets for help on using tickets.