Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion

The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.

N/A

跨站请求伪造(CSRF)

WordPress插件 跨站请求伪造漏洞

WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress 插件是WordPress开源的一个应用插件。 Facebook WordPress插件 3.0.4版本之前存在跨站请求伪造漏洞，该漏洞源于Facebook WordPress插件的ajax操作由于缺乏nonce保护而容易受到CSRF的攻击。

N/A

N/A