WordPress 4.1 XSS açığı; Merhaba arkadaşlar wordpress 4.1 sürümünde yorum yapma kısmında açık bulunmuştur. Açık ile ilgili detaylı yazı ve video aşağı kısımda verilmiştir. WordPress 4.1 versiyonu kullanan arkadaşların güncelleme yapmasını veya açığı kapatmasını öneririm.
ingilizce Döküman :
A client-side cross site request forgery issue and a cross site scripting vulnerability has been discovered in the
Wordpress version 4.1 The client-side cross site request forgery vulnerability allows remote attackers to force
client-side requests to execute application functions. The client-side cross site scripting vulnerability allows remote
attackers to inject malicious script codes to compromise administrator session data.
The xss vulnerability is located in the username and userpass values of the iTwitter.php file POST method request.
Remote attackers are able to inject malicious script codes to the client-side application request. The csrf
vulnerability is located in the same value request and allows to request the account session data. Both issues are only
exploitable on the client-side of the application and the request method to inject is POST.
The security risk of the client-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring
system) count of 2.5. Exploitation of the client-side web vulnerability requires no privileged web-application user
account and low or medium user interaction. Successful exploitation of the vulnerabilities result in non-persistent
phishing mails, session hijacking, non-persistent external redirect to malicious sources and client-side manipulation of
affected or connected module context.
