Log out actions should be protected against CSRF
|Reported by:||markjaquith||Owned by:||markjaquith|
Anyone can log you out of any WordPress install using CSRF (i.e. pointing you to the /wp-login.php?action=logout for that blog). This can aid in phishing attempts, and can have unforeseen security ramifications.
Log out actions should have their intention validated via nonce with fallback to AYS.
Change History (7)
comment:1 @markjaquith — 7 years ago
- Owner changed from anonymous to markjaquith
- Status changed from new to assigned