WordPress 3.3.1 Multiple CSRF Vulnerabilities

WordPress 3.3.1 (and below) suffers from multiple CSRF vulnerabilities which allow an attacker to change post title, add administrators/users, delete administrators/users, approve and unapprove comment, delete comment, change background image, insert custom header image, change site title, change administrator’s email, change WordPress Address, change Site Address, when an authenticated user/admin browses a special crafted web page. May be other parameters can be modified. This vulnerability is caused by a security flaw in anti-CSRF token (_wpnonce, _wpnonce_create-user, _ajax_nonce,
_wpnonce-custom-background-upload, _wpnonce-custom-header-upload) generation. For some operations (see below) above specified anti-CSRF tokens are not associated with the current user session (as Owasp recommends) but are the are valid for all operations (for a specific administrator/user) within 12 hour.
The above described vulnerability allows an attacker – who has sniffed anti-CSRF token – to have 12 hour to perform a CSRF attack.
This problem affects the following operations:

  • Add admin/user
  • Delete Admin/User
  • Approve comment
  • Unapprove comment
  • Delete comment
  • Change background image
  • Insert custom header image
  • Change site title
  • Change administrator’s email
  • Change WordPress Address
  • Change Site Address

Other operations (like insert a new post) are not affected by this CSRF vulnerability.

Probably also version 3.3.2 is affected by this CSRF vulnerability.

To view my Original Advisory:
WordPress 3.3.1 Multiple CSRF Vulnerabilities

MITRE CVE Numbering Authority assigned meĀ CVE-2012-1936 for this vulnerability.

This Security Advisory was also published in the following web sites:

One thought on “WordPress 3.3.1 Multiple CSRF Vulnerabilities

  1. Pingback: La faille CSRF, explications et contre-mesures - Le Blog du Hacker

Leave a Reply

Your email address will not be published. Required fields are marked *