In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
| Link | Tags |
|---|---|
| http://www.securityfocus.com/bid/96602 | third party advisory vdb entry |
| http://www.securitytracker.com/id/1037959 | third party advisory vdb entry |
| https://wpvulndb.com/vulnerabilities/8770 | third party advisory patch |
| http://openwall.com/lists/oss-security/2017/03/06/7 | mailing list third party advisory exploit |
| https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ | patch vendor advisory release notes |
| https://codex.wordpress.org/Version_4.7.3 | patch vendor advisory |
| https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829 | patch third party advisory issue tracking |
| https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html | third party advisory exploit |