6Scan Security
Question about "3.4 comment posting forgery" (3 posts)

  1. itpixie
    Posted 4 years ago #


    This is more a curiosity question...

    My site received a vulnerability warning about "3.4 comment posting forgery" that read the following:
    Wordpress 3.4 (and 3.3.2) comment posting forgery
    CSRF vulnerability in WordPress versions under 3.3.2 allows malicious users to make fake posts

    However from what I could find about this vulnerability, WordPress has patched that in WordPress 3.3.2, so is this warning still valid? Should one still follow the instructions provided in the scan report to "patch" the vulnerability?

    Thank you in advance for the clarifications!


  2. 6Scan
    Plugin Author

    Posted 4 years ago #

    Hey itpixie,

    The vulnerability in question hasn't been patched as of the latest WordPress release (3.4.1). We just retested it to make 100% sure. So yes, you should still follow the instructions to patch it yourself.

    We'd be interested in hearing where you got the information that it was patched, so if you could send that over it would be great.

  3. itpixie
    Posted 4 years ago #

    I think I was actually seeing information about a different vulnerability in wp-comment-post.php that had to do with redirects, which was fixed in WP 3.3.2 (http://wordpress.org/news/2012/04/wordpress-3-3-2/).

    After seeing this comment (which was posted after my question), I think I have a better understanding of the vulnerability that 6Scan pointed out. Correct me if I'm wrong:
    The vulnerability in question is about fake comments to be posted to vulnerable sites. These fake comments are generated from hacked sites and trigger by these sites' visitors commenting on the sites... The fix provided by 6Scan is to block these fake comments by checking the Referer Header and comparing that to that of the site to be posted...

    Thank you again for the clarification and additional information.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • 6Scan Security
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic