AnsweredAssumed Answered

Q12598- WordPress Multiple Cross-Site Request Forgery Vulnerabilities

Question asked by DMFezzaReed Employee on Oct 2, 2012
Latest reply on Oct 2, 2012 by DMFezzaReed

How is this vulnerability tested/detected/reported?  I see nothing in the results returned in the scan report that indicate the version of WordPress.

 

What were the conditions that were met that led to a CVE from 03-19-2012 (presently under dispute) being added as PCI FAIL vulnerabilty on 10/01/2012, in Qualys?

 

If there is no vendor fix and all versions of WordPress are impacted, what next?

 

Q12598- WordPress Multiple Cross-Site Request Forgery Vulnerabilities

  • Last Updated in Qualys Vulnerability Database: 10/01/2012 at18:11:46 (NEW)

 

Threat:

WordPress is an open source content management system.

WordPress is prone to a stored cross-site request forgery.

Affected Versions:
Wordpress Versions prior to 3.3.1

Impact:

By exploiting this vulnerability, an attacker can force : - Add Admin/User - Delete Admin/User - Approve comment - Unapprove comment - Delete comment - Change background image - Insert custom header image - Change site title - Change administrator's email - Change Wordpress Address - Change Site Address

Solution:

Currently, we are not aware of any vendor-supplied patches. For the vendor, it's not a critical vuln.

 

Does the fact that this vulnerability is currently in disputehave any bearing on this situation?(according to the CVE database)

http://web.nvd.nist.gov/view/vuln/search-results?query=2012-1936&search_type=all&cves=on


This vulnerability is flagged on all versions of WordPress including the current 3.4.2. There is no remediationor fix from the WordPress project

Outcomes