WordPress 3.3.1 (and below) suffers from multiple CSRF vulnerabilities which allow an attacker to change post title, add administrators/users, delete administrators/users, approve and unapprove comment, delete comment, change background image, insert custom header image, change site title, change administrator’s email, change WordPress Address, change Site Address, when an authenticated user/admin browses a special crafted web page. May be other parameters can be modified. This vulnerability is caused by a security flaw in anti-CSRF token (_wpnonce, _wpnonce_create-user, _ajax_nonce,
_wpnonce-custom-background-upload, _wpnonce-custom-header-upload) generation. For some operations (see below) above specified anti-CSRF tokens are not associated with the current user session (as Owasp recommends) but are the are valid for all operations (for a specific administrator/user) within 12 hour.
The above described vulnerability allows an attacker – who has sniffed anti-CSRF token – to have 12 hour to perform a CSRF attack.
This problem affects the following operations:
Change background image
Insert custom header image
Change site title
Change administrator’s email
Change WordPress Address
Change Site Address
Other operations (like insert a new post) are not affected by this CSRF vulnerability.
Probably also version 3.3.2 is affected by this CSRF vulnerability.
PlumeCMS 1.2.4 (and below) is prone to multiple peristent XSS vulnerability due to an improper input sanitization of multiple parameters.
“u_email” and “u_realname” parameters are not correctly sanitized before being passed to server side script “manager/users.php” via http POST method. An attacker – who is able to change his profile settings – could insert malicious code into “Email” and/or “Name” fields- within “Authors” template – in order to create a persistent XSS vulnerability for all user/admin who access to Plume’s management interface.
SyndeoCMS 3.0.01 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of “email” parameter, passed to server side logic (path: “starnet/index.php”) via http POST method.
Exploiting this vulnerability an authenticated user – which is able to change his profile settings – could insert arbitrary code in “Site email” field that will be executed when another admin or user clicks on that user’profile.
MITRE CVE Numbering Authority assigned me CVE-2012-1979 for this vulnerability.
Yesterday I’ve discovered new CSRF vulnerabilities in Sitecom WLM-2501 300N wireless modem/router which allow an attacker to change a lot of device parameter and, most of all, to change wireless passphrase.