[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] Question about disclosure of WordPress plugin
From: Andrew Farmer <andfarm () gmail ! com>
Date: 2011-08-29 20:07:55
Message-ID: 8EC6C8F4-AD35-420F-982E-54C9401B8E6B () gmail ! com
[Download RAW message or body]
On 2011-08-26, at 05:08, Miroslav Stampar wrote:
> Does anybody know what's the general opinion on disclosure of
> WordPress plugin vulnerabilities in these two sections:
<...>
> 2) admin ones (requires access to the restricted admin area)
If you need full admin access to run the exploit, you probably have enough access that you \
could get arbitrary code execution by installing a plugin, like:
http://wordpress.org/extend/plugins/wordpress-console/
So the "exploit" isn't really doing much at that point, unless it can be triggered remotely \
(e.g, CSRF). _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic