WordPress < 5.5.2 - Cross-Site Request Forgery (CSRF) to Change Theme Background

2020-10-2900:00:00

wpscan.com

Erwan, a security researcher from the WPScan team, discovered and responsibly disclosed a Cross-Site Request Forgery (CSRF) vulnerability that could allow an unauthenticated attacker to change the background image of the theme. For a successful attack, a privileged authenticated WordPress user would need to visit a page the attack controls, for the CSRF attack to be executed.

CPENameOperatorVersion
wordpresseq5.5.1
wordpresslt5.5.2
wordpresseq5.5
wordpresslt5.5.2

Name	Operator	Version
wordpress	eq	5.5.1
wordpress	lt	5.5.2
wordpress	eq	5.5
wordpress	lt	5.5.2

References

blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html

github.com/WordPress/wordpress-develop/commit/cbcc595974d5aaa025ca55625bf68ef286bd8b41

hackerone.com/reports/881855

wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/

WordPress < 5.5.2 - Cross-Site Request Forgery (CSRF) to Change Theme Background

References

Related