[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)
Dino Termini
dino at duechiacchiere.it
Fri Mar 28 17:19:53 UTC 2014
Shouldn't the plugin be taken down from the repo? Maybe wordpress, just like it checks for updates, could display a warning in the admin.
On March 28, 2014 12:38:26 PM EDT, Harry Metcalfe <harry at dxw.com> wrote:
>Anyone else agree? Who'd join such a list?
>
>I'll keep a tally on that too.
>
>Though I am a bit surprised at the respondents here who *don't* want to
>
>know about vulnerable plugins they may be running...
>
>Harry
>
>
>On 28/03/2014 16:37, Nikola Nikolov wrote:
>> I'd suggest creating a mailing list - this way people can actually
>opt-in
>> to those emails(so people here that don't want to receive that kind
>of
>> information will not and those who want can sign-up for it).
>>
>>
>> On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <harry at dxw.com>
>wrote:
>>
>>> There must be hundreds or thousands of plugin with security issues.
>I
>>>> don't think everybody will be interested to know vulnerabilities in
>>>> them.
>>>>
>>> I'm honestly not sure how to respond to that. I don't think I know
>anyone
>>> who doesn't care about having an exploitable website. I agree that
>there
>>> are hundreds of vulnerable plugins. That's what we're trying to help
>fix,
>>> because it's unacceptable!
>>>
>>>
>>> I guess most of the user of the plugin are not going to read this.
>>> We'll do the best we can to make sure everyone who is interested
>will find
>>> out. We currently:
>>>
>>> * Publish to our website
>>> * Tweet from @dxwsecurity
>>> * Post to wp-hackers and Full Disclosure
>>> * Request a CVE
>>>
>>> If you have any ideas about how we can spread the word more, I'm all
>ears.
>>>
>>> Harry
>>>
>>>
>>>
>>> On 28/03/2014 16:06, Varun Agrawal wrote:
>>>
>>>> Hi Harry,
>>>>
>>>> It was my assumption that this list would be interested to know
>about
>>>>> vulnerable plugins.
>>>>>
>>>> There must be hundreds or thousands of plugin with security issues.
>I
>>>> don't think everybody will be interested to know vulnerabilities in
>>>> them.
>>>>
>>>>
>>>> we are disclosing the vulnerability in order that anyone using
>this
>>>>> plugin can take steps to protect themselves.
>>>>>
>>>> I guess most of the user of the plugin are not going to read this.
>>>>
>>>>
>>>> -Varun
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>> --
>>> Harry Metcalfe
>>> 07790 559 876
>>> @harrym
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>--
>Harry Metcalfe
>07790 559 876
>@harrym
>
>_______________________________________________
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
>http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list