|
Full Disclosure
mailing list archives
Re: Question about disclosure of WordPress plugin vulnerabilities
From: Andrew Farmer <andfarm () gmail com>
Date: Mon, 29 Aug 2011 13:07:55 -0700
On 2011-08-26, at 05:08, Miroslav Stampar wrote:
Does anybody know what's the general opinion on disclosure of
WordPress plugin vulnerabilities in these two sections:
<...>
2) admin ones (requires access to the restricted admin area)
If you need full admin access to run the exploit, you probably have enough access that you could get arbitrary code
execution by installing a plugin, like:
http://wordpress.org/extend/plugins/wordpress-console/
So the "exploit" isn't really doing much at that point, unless it can be triggered remotely (e.g, CSRF).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
| 
