oss-sec mailing list archives
Re: CVE request: WordPress plugin wp-cleanfix CSRF
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 18 May 2013 00:54:23 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/16/2013 08:59 AM, Henri Salo wrote:
Hello, Can I get CVE for CSRF vulnerability in WordPress plugin wp-cleanfix, thanks. Attacker can execute arbitrary PHP code using eval() in wpCleanFixAjax.php with CSRF. I also noticed the plugin contains wp-cleanfix.php: <script type="text/javascript" src="http://blog.wpxtre.me/widget/?<?php echo time() ?>"></script> Tested: 2.4.4 Information posted originally 11 months ago, but eval() alone is not dangerous. Not sure if this should be 2012 or 2013 CVE. References: http://wordpress.org/support/topic/plugin-wp-cleanfix-remote-code-execution-warning
https://github.com/wpscanteam/wpscan/issues/186
http://wordpress.org/extend/plugins/wp-cleanfix/ --- Henri Salo
Sorry I'm not clear, this appears to be two vulns, a CSRF, and a remote code exec, the remote code exec can be triggered via the CSRF (so remote anon attacker can pull this off with some social engineering/etc.), but can also be done by users with access? Thanks. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRlyWeAAoJEBYNRVNeJnmTh6QQAMLgGvd+D/4QuYaTqjS+Xo9w Mshtlh0GYOUvy6vNgFvdVTep7ymhm+Q9OwTOQe2NpnUwZ3NZz3D5NbA+eLgym+Lj M3g/rf0IIsLW2xo/hpcvHJgkpOf9OWn9/IZm1bMzMwaE+oPmPScvY3ZdHFNv4smX alza7RUWMeJ+dsEa/Hbrgh2GRvvdZqRQUbl3ZkgCcviTjWwwyrYdntnpcEu7/del Leu0drl5410QHQf7U+P+0yHGC/JTWt4sD8yw9xX06+KYOcmPjOuEH0mKyFTDc5NK PJO3tg1I5cGRGl4oYSLgObOU4TcJDo3qtela/lbRSez2VLTwt/amUApkhGfZ8ptU F1ykktKWaB55SP2P6gv/1jpmbjNxVXToA3CLoDlaGaqETzEBUgaRhunNZrmgq4F0 Cm3InhxZhzaNHntccw5To7pA+0VSZ7vmwOIvqwFnpi6fYsEBrihNzMnC6qCQaEx5 4IJaOJuifUvAYf35Co9nhp/nve7G7Ty3/+pGGGcRUdUCSUpOptLmCXB5UgKpX88q r8hKuOmRCYGnU0RCIPE9lBICzN9b5/4LDYU+QqTkGUE57yOoOdHD852J16yI/zQy V9yZgd90ccjIPZ6Tz6Gsxh48GxM2lXYXPtDykxxZSJOpZLyS1IOJ+z/XZWYXomE1 e8DyjWwKi/UIBWkzYPJd =kjdk -----END PGP SIGNATURE-----
Current thread:
- CVE request: WordPress plugin wp-cleanfix CSRF Henri Salo (May 16)
- Re: CVE request: WordPress plugin wp-cleanfix CSRF Kurt Seifried (May 18)
- Re: CVE request: WordPress plugin wp-cleanfix CSRF Henri Salo (May 18)
- Re: CVE request: WordPress plugin wp-cleanfix CSRF Kurt Seifried (May 18)
- Re: CVE request: WordPress plugin wp-cleanfix CSRF Henri Salo (May 18)
- Re: CVE request: WordPress plugin wp-cleanfix CSRF Kurt Seifried (May 18)