If you are using the `code` or `password-reset` auth method, you can work around this vulnerability by using the `auth.methods` option to set it to `password`. This will disable the code-based login and password reset forms. To fix this issue in versions 3.6.6.2, 3.7.5.1, and 3.8.1, you can install the patch. We have also provided a workaround to enable the `debug` option in production.
What is CSRF?
A cross-site request forgery (CSRF) attack is an attack that tricks a user into executing a request on a web application in which the attacker asks to perform an action on the user's behalf.
This vulnerability was identified in versions 3.6.6, 3.7.5, and 3.8 of WordPress during development and then fixed by version 3.9 of WordPress before release.
The vulnerability allows attackers to perform administrative actions on sites not intended for them by sending a malicious link or form post warning users that their account is about to be deleted due to inactivity.
How does the Code-based Login Vulnerability Work?
The vulnerability is caused when certain versions of the `/admin/login` endpoint do not properly sanitize user inputs. Specifically, if a username and password combination contains only lowercase letters, it will be successfully logged in as a admin user.
Timeline
Published on: 10/24/2022 14:15:00 UTC
Last modified on: 10/25/2022 13:13:00 UTC