Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action.
Max Base Score | 6.8 |
Published | 2012-09-28 |
Updated | 2012-10-01 |
EPSS | 0.38% |
Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Max Base Score | 6.8 |
Published | 2012-07-22 |
Updated | 2012-08-09 |
EPSS | 0.16% |
** DISPUTED ** The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations.
Max Base Score | 6.8 |
Published | 2012-05-03 |
Updated | 2017-12-14 |
EPSS | 0.94% |
3 vulnerabilities found