Make Nonce Mismatch Fail Instead of AYS
|Reported by:||filosofo||Owned by:|
|Component:||Security||Keywords:||nonce ays csrf css security has-patch|
As the post here points out (I've duplicated his attack using my own 2.3.3 setup), you can make a CSRF attack that tricks a WordPress user into changing the admin password and emailing it to someone, by hiding all of the nonce confirmation except the "yes" submit button.
When the nonce doesn't match, my patch lets you know that the action has failed, and it provides a link back to the referring page so that you can try again.
Change History (13)
- Milestone changed from 2.5 to 2.3.4
- Resolution fixed deleted
- Status changed from closed to reopened