[wp-hackers] FW: [Full-disclosure] WordPress AdminPanel CSRF/XSS
mark.wordpress at txfx.net
Tue Feb 27 23:05:32 GMT 2007
On Feb 27, 2007, at 11:47 AM, howard chen wrote:
> can WP allow detete/update action thru HTTP Get?
This is an XSS bug. The 'delete' action is not an integral part of
the exploit. The vulnerability is that it could be used to execute
done as well.
We protect HTTP GET deletes with nonces
Covered Web Services
More information about the wp-hackers