[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)
chris at lod.com
Fri Mar 28 15:29:06 UTC 2014
I think Daniel was refering to posting to a public list, some malicious
people could take advantage of this, and cause some havoc.
On 2014-03-28, 10:46 AM, "Harry Metcalfe" <harry at dxw.com> wrote:
>This vulnerability was reported to plugins at wordpress.org on 2nd
>February. The author has not responded, so we are disclosing the
>vulnerability in order that anyone using this plugin can take steps to
>This is certainly not an advertisement.
>Administrivia: It was my assumption that this list would be interested
>to know about vulnerable plugins. If anyone has strong feelings for or
>against that assumption, please let me know off-list. If there is a
>consensus we will honour it.
>On 28/03/2014 14:41, Daniel Bachhuber wrote:
>> Hi Harry,
>> Please refrain from advertising on this list. Plugin security issues
>> be reported to plugins at wordpress.org
>> On Fri, Mar 28, 2014 at 5:39 AM, Harry Metcalfe <harry at dxw.com> wrote:
>>> Software: WP HTML Sitemap
>>> Version: 1.2
>>> Homepage: http://wordpress.org/plugins/wp-html-sitemap/
>>> CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
>>> CSRF vulnerability in WP HTML Sitemap 1.2
>>> A CSRF vulnerability exists which allows an attacker to delete the
>>> if a logged-in admin user visits a link of the attacker's choosing.
>>> Line 202 of inc/AdminPage.php says "// check whether form was just
>>> submitted" but the following if/elseif statements only check whether a
>>> particular button was pressed without checking nonce values. The form
>>> question is printed in wp_html_sitemap_AdminPage::createSitemapForm()
>>> around line 146 of the same file.
>>> Proof of concept
>>> This form deletes the sitemap without requiring a nonce value:
>>> <form action="http://not-a-real-site.local/wp-admin/options-
>>> general.php?page=wp-html-sitemap&tab=general" method="POST">
>>> <input type="text" name="deleteSitemap" value="Delete Sitemap">
>>> <input type="submit">
>>> Disable the plugin until a fix is available.
>>> Disclosure policy
>>> dxw believes in responsible disclosure. Your attention is drawn to our
>>> disclosure policy: https://security.dxw.com/disclosure/
>>> Please contact us on security at dxw.com to acknowledge this report if you
>>> received it via a third party (for example, plugins at wordpress.org) as
>>> they generally cannot communicate with us on your behalf.
>>> Please note that this vulnerability will be published if we do not
>>> a response to this report with 14 days.
>>> 2014-02-21: Discovered
>>> 2014-02-26: Reported
>>> 2014-03-28: No response received. Published
>>> Discovered by dxw:
>>> Tom Adams
>>> Please visit security.dxw.com for more information.
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>07790 559 876
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
More information about the wp-hackers