[wp-trac] [WordPress Trac] #10975: comment form nonce
WordPress Trac
noreply at wordpress.org
Thu Sep 10 15:16:58 UTC 2015
#10975: comment form nonce
-------------------------+-----------------------------
Reporter: tellyworth | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Comments | Version:
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
-------------------------+-----------------------------
Comment (by snarebold):
As a result from a professional penetration test
Is it possible to perform CSRF attacks (regarding the comment form) ?
Yes, an attacker could e.g. integrate the comment form (HTTP POST) in a
hidden iFrame and trick a victim to load this frame. In this way, an
attacker could silently post arbitrary comments from the victim's IP
address.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/10975#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list