[wp-hackers] XSRF - announcement ! / Plugin WP

Andrew Nacin wp at andrewnacin.com
Thu Dec 23 16:50:01 UTC 2010


On Thu, Dec 23, 2010 at 8:51 AM, MASOKIS <masokis at gmail.com> wrote:

> Hi.... check this out, (sorry written in malaysia language, use google
> translater..it's work)
> http://bit.my/L1yQ
> It about attack XSRF ( cross site request forgery ) for wp plugin,


On Thu, Dec 23, 2010 at 11:34 AM, William Davis <will.davis at gmail.com>wrote:

> This is a problem with a plugin, not with the WordPress core, so the plugin
> author should be contacted.
>
> But, as Andrew Nacin has said before on the WP-Hackers list, security
> vulnerabilities should be reported to security at wordpress.org, never to the
> general public.
>

Correct. security at wordpress.org or plugins at wordpress.org is the proper venue
here.

The patch you suggest on your site is NOT secure. It does nothing at all to
make the plugin more secure.

You should use wp_nonce_field() with check_admin_referrer() (and other
related functions) to properly secure forms from CSRF.

Nacin


More information about the wp-hackers mailing list