[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Ian Dunn ian at iandunn.name
Fri Mar 28 18:29:03 UTC 2014

On 3/28/14, 10:03 AM, Chris Christoff wrote:
> I think the point is when people signed up for this mailinglist they
> didn't sign up for those notifications, which presumable entail
> multiple emails per day (given 2 already today alone and security.dxw
> seems to report 1 to 2 a day on average).

I think it's more like 5-10 per month. DXW started posting these to the 
list about a month ago, and IIRC this is only the second time they've 
posted anything. So far they've batched them together when they have posted.

I'm all for keeping them on the list, because in my view it's relevant 
for two reasons: 1) Most people on this list administer sites that are 
potentially using these vulnerable plugins; 2) We all need to be 
regularly reminded that security is important and easy to get wrong.

FWIW, you can already get these via e-mail by using Blogtrottr.com to 
subscribe to DXW's RSS feed at https://security.dxw.com/advisories/feed/

On 3/28/14, 10:54 AM, Marko Heijnen wrote:
 > The problem with announcing security issues on a public list is that 
people can use the hack. Specially when there isn’t any fix for it yet.

That's assuming that the plugin author is going to fix the problem. If 
they're not -- which has been demonstrated by their lack of response 
when DXW privately disclosed the vulnerabilities to them two weeks ago 
-- then the responsible thing to do is to release it publicly so that 
users/admins are aware and can act to protect themselves. That is 
standard practice.

Failing to disclose a vulnerability that won't be fixed hurts users and 
helps hackers. Users are ignorant of it so they can't protect 
themselves, while hackers will eventually find it and start exploiting 
it. Failing to disclose it in the hopes that hackers won't find it on 
their own is just security-through-obscurity.

More information about the wp-hackers mailing list