Skip to main content

WordPress 3.6 Vulnerabilities

A collection of WordPress 3.6 Vulnerabilities I've found.

Create a post/media/page as another user#

This bug allows a user with an Author role, using a specially crafted request, to create a post/media/page "written by" another user. It has been fixed September 11, 2013: https://wordpress.org/news/2013/09/wordpress-3-6-1/

"Based on our research so far, this allows for a user to post as another user, but this means that A) they must already be allowed to publish content, and B) they then lose the ability to edit that post. This of course is bad when you start to consider the possibility of a compromised account, or when combined with some other vulnerability or workflow that allows for an untrusted person to publish a post. It could also be dangerous on multisite, as any user on the network can be forged." - A response from the WordPress Team

Steps to reproduce#

  1. Make sure you have the permission to create/edit a post/media/page

  2. Press add/edit a post/media/page

  3. Before you press submit or update, set up a data tampering tool that will allow you to intercept HTTP requests.

  4. Press Submit / Update

  5. Intercept the request and change the value of user_ID and post_author parameters to the user id of the user you want to post as. To make a post as the first admin user, set both these values to 1.

    Wordpress User Forging
  6. The content will now be owned by the user specified in the step above.

Vulnerable Code#

https://core.trac.wordpress.org/changeset/25316