[wp-hackers] Rethinking check_admin_referer()

David House dmhouse at gmail.com
Tue Apr 18 09:11:40 GMT 2006


On 18/04/06, Paul Mitchell <wp-hackers at paul-mitchell.me.uk> wrote:
> My bug report for this flaw would be "In all known versions of
> WordPress, anyone trusted to write a draft can also nuke the blog" and I
> would classify it "critical security". I'm glad I don't have to fix this
> one.

How about this:

1) Admin writes a post.
2) Malicious user leaves a comment with an "image", whose source
redirecs to http://yoursite.com/wp-admin/post.php?action=delete&post=123
3) Admin logs in
4) Manage -> Comments
5) Post is deleted.

No need to be able to create drafts.

--
-David House, dmhouse at gmail.com, http://xmouse.ithium.net


More information about the wp-hackers mailing list