Ferruh sent BlogSec an email this morning about a new attack vector for WordPress, using CSRF (Cross Site Request Forgery).
We have not yet had time to investigate the issue further, but it looks interesting. The basic concept revolves around the fact that WordPress is user friendly and asks the user for confirmation before submitting a request without a valid nonce.
By dressing the request in some fancy CSS it may be possible to get the user to confirm the request without them knowing.
Its a CSRF with some user intervention requirements which may mean a little social-engineering. Ferruh also provides a proof of concept exploit.
Ferruh credits BlogSec’s Gareth Heyes for his work around CSS Overlays.
Nice work Ferruh!