AnsweredAssumed Answered

Q12598- WordPress Multiple Cross-Site Request Forgery Vulnerabilities

Question asked by DMFezzaReed Employee on Oct 2, 2012
Latest reply on Oct 2, 2012 by DMFezzaReed

How is this vulnerability tested/detected/reported?  I see nothing in the results returned in the scan report that indicate the version of WordPress.


What were the conditions that were met that led to a CVE from 03-19-2012 (presently under dispute) being added as PCI FAIL vulnerabilty on 10/01/2012, in Qualys?


If there is no vendor fix and all versions of WordPress are impacted, what next?


Q12598- WordPress Multiple Cross-Site Request Forgery Vulnerabilities

  • Last Updated in Qualys Vulnerability Database: 10/01/2012 at18:11:46 (NEW)



WordPress is an open source content management system.

WordPress is prone to a stored cross-site request forgery.

Affected Versions:
Wordpress Versions prior to 3.3.1


By exploiting this vulnerability, an attacker can force : - Add Admin/User - Delete Admin/User - Approve comment - Unapprove comment - Delete comment - Change background image - Insert custom header image - Change site title - Change administrator's email - Change Wordpress Address - Change Site Address


Currently, we are not aware of any vendor-supplied patches. For the vendor, it's not a critical vuln.


Does the fact that this vulnerability is currently in disputehave any bearing on this situation?(according to the CVE database)

This vulnerability is flagged on all versions of WordPress including the current 3.4.2. There is no remediationor fix from the WordPress project