Comments on: Ferruh WordPress CSRF Vulnerability

By: WordPress Wednesday News: WordPress 2.5 News, Colleges and Schools Love WordPressMU, Viddler Meets WordPress, Theme Buyers Beware, Columns in Blog Posts, Feeds Without Plugins : The Blog Herald

Thu, 21 Feb 2008 04:56:35 +0000

[...] Blog Security reports on a WordPress CSRF vulnerability described as a Cross Site Request Forgery. Investigations are ongoing. [...]

By: DK

DK — Fri, 15 Feb 2008 09:14:08 +0000

Gareth, just informed me that WPIDS and WP Lockdown will prevent these attacks:

Lockdown and WPIDS protects against these sorts of CSRF
attacks by employing a framebreaker in the admin area. This
effectively eliminates this attack on every browser apart from IE.

By: WordPress Wednesday News: WordPress 2.5 Live Reports, WWW or Not to WWW, 16,000 Post Migration, MT Does WP, WP Does Kazakhstan, and Gets Mugged : The Blog Herald

Thu, 14 Feb 2008 06:14:44 +0000

[...] Blog Security reports on a WordPress CSRF vulnerability described as a Cross Site Request Forgery. Investigations are ongoing. [...]

By: DK

DK — Wed, 13 Feb 2008 18:03:37 +0000

Rasheed, Ferruh provided a patch as part of his advisory. The patch basically prevents any requests without a valid nonce present.

By: CSRF Attack on WordPress · Pressed Words

CSRF Attack on WordPress · Pressed Words — Wed, 13 Feb 2008 16:47:20 +0000

[...] named Ferruh has a proof-of-concept cross-site request forgery (CSRF) attack against WordPress (HT: DK at BlogSecurity). I’ve tried it out successfully on my own version of WordPress [...]

By: Rasheed

Rasheed — Wed, 13 Feb 2008 13:18:03 +0000

So what should we do ?

Can you give us more details ?

Thanks.