WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
| Link | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9913 | third party advisory release notes |
| https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | third party advisory |
| https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | release notes vendor advisory |
| https://core.trac.wordpress.org/changeset/46477 | patch vendor advisory |
| https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0 | third party advisory patch |
| https://lists.debian.org/debian-lts-announce/2019/11/msg00000.html | third party advisory mailing list |
| https://seclists.org/bugtraq/2020/Jan/8 | third party advisory mailing list |
| https://www.debian.org/security/2020/dsa-4599 | third party advisory vendor advisory |
| https://www.debian.org/security/2020/dsa-4677 | third party advisory vendor advisory |