[wp-trac] [WordPress Trac] #7790: Log out actions should be
protected against CSRF
WordPress Trac
wp-trac at lists.automattic.com
Thu Sep 25 05:42:00 GMT 2008
#7790: Log out actions should be protected against CSRF
-------------------------+--------------------------------------------------
Reporter: markjaquith | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.7
Component: Security | Version: 2.7
Severity: normal | Keywords:
-------------------------+--------------------------------------------------
Anyone can log you out of any WordPress install using CSRF (i.e. pointing
you to the /wp-login.php?action=logout for that blog). This can aid in
phishing attempts, and can have unforeseen security ramifications.
Log out actions should have their intention validated via nonce with
fallback to AYS.
--
Ticket URL: <http://trac.wordpress.org/ticket/7790>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list