[wp-hackers] Rethinking check_admin_referer()

Michael D. Adams mikea at turbonet.com
Tue Apr 18 21:11:40 GMT 2006


On Tue, 18 Apr 2006, David House wrote:
> 1) Admin writes a post.
> 2) Malicious user leaves a comment with an "image", whose source
> redirecs to http://yoursite.com/wp-admin/post.php?action=delete&post=123
> 3) Admin logs in
> 4) Manage -> Comments
> 5) Post is deleted.

Have you tried this?  KSES should filter out IMGs from users that don't
have the unfiltered_html capability.

Regardless, the draft issue mentioned previously [1] is still there.  As
mentioned by others, we should POST.

[1] http://comox.textdrive.com/pipermail/wp-hackers/2006-April/005704.html


More information about the wp-hackers mailing list