[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Scott Herbert (via Phone) scott.a.herbert at googlemail.com
Fri Mar 28 18:53:36 UTC 2014


If you email security at wordpress.org they pull it straight away.

On 28 March 2014 17:19:53 GMT+00:00, Dino Termini <dino at duechiacchiere.it> wrote:
>Shouldn't the plugin be taken down from the repo? Maybe wordpress, just
>like it checks for updates, could display a warning in the admin. 
>
>On March 28, 2014 12:38:26 PM EDT, Harry Metcalfe <harry at dxw.com>
>wrote:
>>Anyone else agree? Who'd join such a list?
>>
>>I'll keep a tally on that too.
>>
>>Though I am a bit surprised at the respondents here who *don't* want
>to
>>
>>know about vulnerable plugins they may be running...
>>
>>Harry
>>
>>
>>On 28/03/2014 16:37, Nikola Nikolov wrote:
>>> I'd suggest creating a mailing list - this way people can actually
>>opt-in
>>> to those emails(so people here that don't want to receive that kind
>>of
>>> information will not and those who want can sign-up for it).
>>>
>>>
>>> On Fri, Mar 28, 2014 at 6:34 PM, Harry Metcalfe <harry at dxw.com>
>>wrote:
>>>
>>>> There must be hundreds or thousands of plugin with security issues.
>>I
>>>>> don't think everybody will be interested to know vulnerabilities
>in
>>>>> them.
>>>>>
>>>> I'm honestly not sure how to respond to that. I don't think I know
>>anyone
>>>> who doesn't care about having an exploitable website. I agree that
>>there
>>>> are hundreds of vulnerable plugins. That's what we're trying to
>help
>>fix,
>>>> because it's unacceptable!
>>>>
>>>>
>>>>   I guess most of the user of the plugin are not going to read
>this.
>>>> We'll do the best we can to make sure everyone who is interested
>>will find
>>>> out. We currently:
>>>>
>>>>   * Publish to our website
>>>>   * Tweet from @dxwsecurity
>>>>   * Post to wp-hackers and Full Disclosure
>>>>   * Request a CVE
>>>>
>>>> If you have any ideas about how we can spread the word more, I'm
>all
>>ears.
>>>>
>>>> Harry
>>>>
>>>>
>>>>
>>>> On 28/03/2014 16:06, Varun Agrawal wrote:
>>>>
>>>>> Hi Harry,
>>>>>
>>>>>   It was my assumption that this list would be interested to know
>>about
>>>>>> vulnerable plugins.
>>>>>>
>>>>> There must be hundreds or thousands of plugin with security
>issues.
>>I
>>>>> don't think everybody will be interested to know vulnerabilities
>in
>>>>> them.
>>>>>
>>>>>
>>>>>   we are disclosing the vulnerability in order that anyone using
>>this
>>>>>> plugin can take steps to protect themselves.
>>>>>>
>>>>> I guess most of the user of the plugin are not going to read this.
>>>>>
>>>>>
>>>>> -Varun
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>
>>>> --
>>>> Harry Metcalfe
>>>> 07790 559 876
>>>> @harrym
>>>>
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>>-- 
>>Harry Metcalfe
>>07790 559 876
>>@harrym
>>
>>_______________________________________________
>>wp-hackers mailing list
>>wp-hackers at lists.automattic.com
>>http://lists.automattic.com/mailman/listinfo/wp-hackers
>_______________________________________________
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
>http://lists.automattic.com/mailman/listinfo/wp-hackers

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


More information about the wp-hackers mailing list