WordPress 3.3.1 (and below) suffers from multiple CSRF vulnerabilities which allow an attacker to change post title, add administrators/users, delete administrators/users, approve and unapprove comment, delete comment, change background image, insert custom header image, change site title, change administrator’s email, change WordPress Address, change Site Address, when an authenticated user/admin browses a special crafted web page. May be other parameters can be modified. This vulnerability is caused by a security flaw in anti-CSRF token (_wpnonce, _wpnonce_create-user, _ajax_nonce,
_wpnonce-custom-background-upload, _wpnonce-custom-header-upload) generation. For some operations (see below) above specified anti-CSRF tokens are not associated with the current user session (as Owasp recommends) but are the are valid for all operations (for a specific administrator/user) within 12 hour.
The above described vulnerability allows an attacker – who has sniffed anti-CSRF token – to have 12 hour to perform a CSRF attack.
This problem affects the following operations:
- Add admin/user
- Delete Admin/User
- Approve comment
- Unapprove comment
- Delete comment
- Change background image
- Insert custom header image
- Change site title
- Change administrator’s email
- Change WordPress Address
- Change Site Address
Other operations (like insert a new post) are not affected by this CSRF vulnerability.
Probably also version 3.3.2 is affected by this CSRF vulnerability.
To view my Original Advisory:
WordPress 3.3.1 Multiple CSRF Vulnerabilities
MITRE CVE Numbering Authority assigned me CVE-2012-1936 for this vulnerability.
This Security Advisory was also published in the following web sites: