WordPress Filesystem Credentials Dialog CSRF

By
Sooraj V Nair
Published on
26 Jun 2018
1 min read
Vulnerability

This vulnerability is found for Word Press users. The CSRF attack refers to an attack against authenticated web applications using user cookies. In CSRF, an attacker is able to trick a victim into making a request the victim did not intend to make. Therefore, with CSRF an attacker can abuse the trust of a web application. A vulnerable version of WordPress found. It does not require updating credentials in the file system. This can lead to Cross-Site Request Forgery. This type of attack forces an end user to execute unwanted actions on a web application. A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Using the filesystem credentials log; an attacker can perform a Cross-Site Request Forgery (CSRF) vulnerability attack. The WordPress had vulnerable FTP/SSH form functionality, through which an attacker could perform CSRF attack. This vulnerability can get an unauthorised permit to overwrite the FTP or SSH connection settings of the affected WordPress web application. An attacker can use this bug to trick the application administrator to log into the attacker’s FTP or SSH server. By this step, the attacker can disclose the administrator’s login credentials. For exploiting this vulnerability, the attacker must lure/force the WordPress Administrator into opening a malicious website.

Impact and Fixes

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.