Bugtraq: Gwolle Guestbook mass action vulnerable for Cross-Site Request Forgery

————————————————————————

Gwolle Guestbook mass action vulnerable for Cross-Site Request Forgery

————————————————————————

Radjnies Bhansingh, July 2016

————————————————————————

Abstract

————————————————————————

A Cross-Site Request Forgery (CSRF) vulnerability was found in the

Gwolle Guestbook WordPress plugin. This issue can be used by an attacker

to mass approve of disapprove entries. In order to exploit this issue,

the attacker needs to lure a victim with editor or admin privileges to

an attacker-controlled page or trick him into clicking a malicous link.

————————————————————————

OVE ID

————————————————————————

OVE-20160724-0001

————————————————————————

Tested versions

————————————————————————

This issue was succesfully tested on the Gwolle Guestbook WordPress

Plugin version 1.7.4.

————————————————————————

Fix

————————————————————————

This issue was fixed in Gwolle Guestbook version version 2.1.1. The most

recent version of Gwolle Guestbook can be obtained from the following

location:

https://wordpress.org/plugins/gwolle-gb/

————————————————————————

Details

————————————————————————

https://sumofpwn.nl/advisory/2016/gwolle_guestbook_mass_action_vulnerabl

e_for_cross_site_request_forgery.html

————————————————————————

Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its

goal is to contribute to the security of popular, widely used OSS

projects in a fun and educational way.

[ reply ]

Source: SecurityFocus Vulnerabilities @ March 1, 2017 at 02:06AM

0
Share