WordPress 3.3.1 Multiple CSRF Vulnerabilities

WordPress 3.3.1 (and below) suffers from multiple CSRF vulnerabilities which allow an attacker to change post title, add administrators/users, delete administrators/users, approve and unapprove comment, delete comment, change background image, insert custom header image, change site title, change administrator’s email, change WordPress Address, change Site Address, when an authenticated user/admin browses a special crafted web page. May be other parameters can be modified. This vulnerability is caused by a security flaw in anti-CSRF token (_wpnonce, _wpnonce_create-user, _ajax_nonce,
_wpnonce-custom-background-upload, _wpnonce-custom-header-upload) generation. For some operations (see below) above specified anti-CSRF tokens are not associated with the current user session (as Owasp recommends) but are the are valid for all operations (for a specific administrator/user) within 12 hour.
The above described vulnerability allows an attacker – who has sniffed anti-CSRF token – to have 12 hour to perform a CSRF attack.
This problem affects the following operations:

  • Add admin/user
  • Delete Admin/User
  • Approve comment
  • Unapprove comment
  • Delete comment
  • Change background image
  • Insert custom header image
  • Change site title
  • Change administrator’s email
  • Change WordPress Address
  • Change Site Address

Other operations (like insert a new post) are not affected by this CSRF vulnerability.

Probably also version 3.3.2 is affected by this CSRF vulnerability.

To view my Original Advisory:
WordPress 3.3.1 Multiple CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned me CVE-2012-1936 for this vulnerability.

This Security Advisory was also published in the following web sites:
http://www.securityfocus.com/bid/53280
http://osvdb.org/show/osvdb/81588
http://xforce.iss.net/xforce/xfdb/75222
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1936
http://packetstormsecurity.org/files/112253/WordPress-3.3.1-Cross-Site-Request-Forgery.html
http://1337day.com/exploits/18138
http://www.exploit-db.com/exploits/18791/
http://www.cvedetails.com/cve/CVE-2012-1936/
http://www.exploit-id.com/web-applications/wordpress-3-3-1-multiple-csrf-vulnerabilities

One thought on “WordPress 3.3.1 Multiple CSRF Vulnerabilities

  1. Pingback: La faille CSRF, explications et contre-mesures - Le Blog du Hacker

Leave a Reply

Your email address will not be published. Required fields are marked *


8 × three =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>