|Description||WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to conduct delayed and persistent cross-site request forgery (CSRF) attacks via crafted cookies, as demonstrated by attacks that (1) delete user accounts or (2) cause a denial of service (loss of application access). NOTE: this issue relies on the presence of an independent vulnerability that allows cookie injection.|
|Source||CVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)|
|NVD severity||medium (attack range: remote, user-initiated)|
Vulnerable and fixed packages
The table below lists information on source packages.
|wordpress (PTS)||squeeze, squeeze (security)||3.6.1+dfsg-1~deb6u4||fixed|
|wheezy (security), wheezy||3.6.1+dfsg-1~deb7u6||fixed|
|jessie (security), jessie||4.1+dfsg-1+deb8u4||fixed|
The information below is based on the following data on fixed versions.