[wp-hackers] Rethinking check_admin_referer()

Paul Mitchell wp-hackers at paul-mitchell.me.uk
Mon Apr 17 19:23:33 GMT 2006

David House wrote:
> Yes they are, but admin referers are to protect admins from themselves (ish).
> A malicious commentor leaves a comment saying "hey, nice post, here's
> [my reponse]" with a link to what appears to be their site but is in
> fact something like
> http://yoursite.com/wp-admin/post.php?action=delete&post=123. Before
> you know it, you've just deleted post 123. Oops. This can be done with
> images as well, so you don't even have to click anything.
This makes wp-admin/edit-comments.php and wp-admin/moderation.php
extremely dangerous as the admin referer check is ineffective.

I placed the URL to delete a post in a comment, then from "Manage
Comments" clicked on the link and deleted the post. Likewise with
moderation, where I made an author URL the delete post link.


More information about the wp-hackers mailing list