[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Question about disclosure of WordPress plugin vulnerabilities

To: Miroslav Stampar <miroslav.stampar@xxxxxxxxx>
Subject: Re: [Full-disclosure] Question about disclosure of WordPress plugin vulnerabilities
From: Andrew Farmer <andfarm@xxxxxxxxx>
Date: Mon, 29 Aug 2011 13:07:55 -0700

On 2011-08-26, at 05:08, Miroslav Stampar wrote:
> Does anybody know what's the general opinion on disclosure of
> WordPress plugin vulnerabilities in these two sections:
<...>
> 2) admin ones (requires access to the restricted admin area)

If you need full admin access to run the exploit, you probably have enough 
access that you could get arbitrary code execution by installing a plugin, like:

http://wordpress.org/extend/plugins/wordpress-console/

So the "exploit" isn't really doing much at that point, unless it can be 
triggered remotely (e.g, CSRF).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Question about disclosure of WordPress plugin vulnerabilities
  - From: Miroslav Stampar

Prev by Date: Re: [Full-disclosure] INSECT Pro - Free tool for pentest - New version release 2.7
Next by Date: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
Previous by thread: [Full-disclosure] Question about disclosure of WordPress plugin vulnerabilities
Next by thread: [Full-disclosure] Jcow CMS 4.x:4.2 <= , 5.x:5.2 <= | Arbitrary Code Execution
Index(es):
- Date
- Thread