via wordfence.com => original post link
The Wordfence Threat Intelligence team has observed a recent increase in the number of partial vulnerability patches that don’t properly address separate underlying issues. More specifically, we have been seeing an increase in Missing Authorization vulnerabilities that are fixed using tools intended for addressing Cross-Site Request Forgery, which are two independently fixable vulnerability types that should be treated as such.
Wordfence has a dedicated research team which regularly conducts vulnerability research. Our discoveries are added to the Wordfence Intelligence Community Edition Vulnerability database, and are often published on our blog after responsibly disclosing them to the vendors. We have discovered and written about several Missing Authorization and Cross-Site Request Forgery (CSRF) vulnerabilities in the past, both considered independently fixable security issues. In today’s post we want to address the issues that cause these two vulnerabilities to occur, how they relate and how they are different.
Defining the Two Vulnerability Types