Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Jun 2013 20:44:09 +0300
From: Henri Salo <>
Cc: Kurt Seifried <>,,
Subject: CVE request: WordPress plugin uk-cookie CSRF


While reproducing CVE-2012-5856[1][2] I noticed there is CSRF security
vulnerability in uk-cookie plugin and abusing it attacker can insert XSS to
front page of WordPress installation. Version 1.1 is the latest and I did not
test older versions. OSVDB item[3] should be updated. Plugin is currently
disabled in WordPress plugin repository so vendor URL is currently 404.

Product: Uk Cookie Plugin for WordPress
Vendor URL:
Vendor SVN:
Vulnerability Type: CWE-352
Vulnerable Versions: 1.1 and probably earlier
Fixed Version: N/A

Kurt, could you assign CVE-identifier for CSRF vulnerability, thanks.


Similar plugins are available:

Qentinel, Henri Salo

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.