via pluginvulnerabilities.com => original post link
Recently, the CEO of the WordPress security provider Wordfence, Mark Maunder, was criticizing a competitor over a bug bounty program that caused cross-site request forgery (CSRF) vulnerabilities to be found, while he was promoting Wordfence’s own bug bounty program. He said that an “extremely high number of low risk and low quality vulnerabilities [are] being submitted to databases like Patchstack” and specifically cited CSRF vulnerabilities as example of that, “vulnerabilities that involve a Cross-Site Request Forgery are an example of this.” What shouldn’t be surprising to others in the WordPress security space who have the misfortune of running across this guy, he was criticizing someone else for something his own company has done.
It’s absolutely true that CSRF is a low-risk issue. That involves causing someone else to take an action they are allowed to do, but didn’t intend to. For example, if there is a reset capability for a plugin’s settings that lacks CSRF protection, getting someone to click a link you generated while they are logged in to WordPress could cause the settings to be reset. While it is possible that this could be being used in targeted attacks, we are not aware of anyone even claiming that it is being used on a wider scale. Considering how often there are false claims about types of attacks happening, that strongly suggests that this issue isn’t something that is happening at any scale. [Read more]