[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Scott Herbert (via Phone) scott.a.herbert at googlemail.com
Fri Mar 28 16:42:18 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'd sign up to it. their was someone called "mustlive" who used to post lots of wp stuff on full-disclosure I'm sure I can send find a contact if you want.



On 28 March 2014 16:38:26 GMT+00:00, Harry Metcalfe <harry at dxw.com> wrote:
>Anyone else agree? Who'd join such a list?
>
>I'll keep a tally on that too.
>
>Though I am a bit surprised at the respondents here who *don't* want to
>
>know about vulnerable plugins they may be running...
>
>Harry
>
>
>On 28/03/2014 16:37, Nikola Nikolov wrote:
>> I'd suggest creating a mailing list - this way people can actually
>opt-in
>> to those emails(so people here that don't want to receive that kind
>of
>> information will not and those who want can sign-up for it).
>>
>>
>> On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <harry at dxw.com>
>wrote:
>>
>>> There must be hundreds or thousands of plugin with security issues.
>I
>>>> don't think everybody will be interested to know vulnerabilities in
>>>> them.
>>>>
>>> I'm honestly not sure how to respond to that. I don't think I know
>anyone
>>> who doesn't care about having an exploitable website. I agree that
>there
>>> are hundreds of vulnerable plugins. That's what we're trying to help
>fix,
>>> because it's unacceptable!
>>>
>>>
>>>   I guess most of the user of the plugin are not going to read this.
>>> We'll do the best we can to make sure everyone who is interested
>will find
>>> out. We currently:
>>>
>>>   * Publish to our website
>>>   * Tweet from @dxwsecurity
>>>   * Post to wp-hackers and Full Disclosure
>>>   * Request a CVE
>>>
>>> If you have any ideas about how we can spread the word more, I'm all
>ears.
>>>
>>> Harry
>>>
>>>
>>>
>>> On 28/03/2014 16:06, Varun Agrawal wrote:
>>>
>>>> Hi Harry,
>>>>
>>>>   It was my assumption that this list would be interested to know
>about
>>>>> vulnerable plugins.
>>>>>
>>>> There must be hundreds or thousands of plugin with security issues.
>I
>>>> don't think everybody will be interested to know vulnerabilities in
>>>> them.
>>>>
>>>>
>>>>   we are disclosing the vulnerability in order that anyone using
>this
>>>>> plugin can take steps to protect themselves.
>>>>>
>>>> I guess most of the user of the plugin are not going to read this.
>>>>
>>>>
>>>> -Varun
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>> --
>>> Harry Metcalfe
>>> 07790 559 876
>>> @harrym
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>--
>Harry Metcalfe
>07790 559 876
>@harrym
>
>_______________________________________________
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
>http://lists.automattic.com/mailman/listinfo/wp-hackers

- --
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.9

iQFMBAEBCAA2BQJTNaZqLxxTY290dCBIZXJiZXJ0IDxzY290dC5hLmhlcmJlcnRA
Z29vZ2xlbWFpbC5jb20+AAoJEJHf3PUjVwdR2QYH/3Rg431s2zEPvYrLZRFIwCRC
UtNvuVTAd180qV6MhHUtOJNV727ph4k4ZlzFz81DX4z0OBhvnlGUQ3M6CfHGMPZL
ey+s2mbOhNudslwkSE7Ei1QFa3o9L3jXokyABNVbGRswoZcFCirVimeEZxscMYmC
+uLe50gSTxVHHr+m/81eXOc24gD/nz122M1CMX/q29SJ9A8v/PpPGlFKBGOIRGJl
LohhAzhbhKOQcNV5uBxrrfp2Z/CPCbXPUF3qAVFurjIIxnKuX7NOXNOmt3zB/XBN
NepxnXRIlI/VWNvPi3j/RWErscJ84iASpUhT/ZAA3FvFkSYuZ6MVJPRYF6m4Vc4=
=Tdhu
-----END PGP SIGNATURE-----



More information about the wp-hackers mailing list