WordPress: CSRF to add admin [wordpress]

ID H1:149589
Type hackerone
Reporter abdullah
Modified 2017-06-30T17:49:16


This researcher discovered that WordPress was vulnerable to CSRF attacks when Flash files are uploaded to the application with extensions matching trusted file types, since the Flash plugin will load/run the file in certain cases, regardless of the extension and Content-Type header of that file.

To resolve this issue, WordPress implemented more strict file-type checks on uploaded files to limit the ability for flash files to be uploaded.