[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

TV productions info at tv-productions.org
Fri Mar 28 21:33:33 UTC 2014


I like the idea of a warning trough the wordpress.org repo.

It might be nice if there would be a button like "WP version x and 
plugin version y work/don't work" with a text like "Security issue 
found" and when it is clicked by one (or one authorized account), there 
should be a big warning. This warning should be displayed on the plugin 
page, but also appear in the WP backend of WP installs with that plugin 
activated/installed.

This is, I think, the right way to warn users about the unsafe plugins 
they are using.

Ties

---
TV productions :: Web development and stuff
http://tv-productions.org

On 28-03-2014 22:19, Mark Costlow wrote:
> I like that idea too.
> 
> 
> For anyone interested, @exploitdb on twitter posts exploits in all
> manner of software, including many web apps, including WP plugins.
> (I have nothing to do with it, I just follow it).
> 
> Mark
> 
> 
> On Sat, Mar 29, 2014 at 08:03:59AM +1100, Daniel wrote:
> That's a better way of doing things
> 
> On 3/29/14, Dino Termini <dino at duechiacchiere.it> wrote:
> > Again, I think this should be added to wp core, and managed through the
> > repo. When a plugin is removed from the repo, or better "deactivated" (not
> > downloadable but with a big red warning saying why, just like they do for
> > plugins older than 2 years), people get a notice in their admin telling them
> > what happened. Only a few geeks (including myself) would check that other
> > mailing list, leaving the majority of wp users unprotected.
> >
> > Should I file a request on trac?
> >
> > Dino
> >
> > On March 28, 2014 4:54:30 PM EDT, Tom Barrett <tcbarrett at gmail.com> wrote:
> >>Most of all, I'd like it if people trimmed their emails to be less
> >>spammy.
> >>
> >>I think what Harry is doing is a good thing, and I want to be aware of
> >>security issues with wordpress.org plugins (as well as any others).
> >>
> >>I'm happy for security reports, as per Harry's recent ones, to be
> >>posted
> >>here.
> >>_______________________________________________
> >>wp-hackers mailing list
> >>wp-hackers at lists.automattic.com
> >>http://lists.automattic.com/mailman/listinfo/wp-hackers
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> 
> 
> --
> Regards,
> Daniel Fenn
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list