On 2011-08-26, at 05:08, Miroslav Stampar wrote: > Does anybody know what's the general opinion on disclosure of > WordPress plugin vulnerabilities in these two sections: <...> > 2) admin ones (requires access to the restricted admin area)
If you need full admin access to run the exploit, you probably have enough access that you could get arbitrary code execution by installing a plugin, like: http://wordpress.org/extend/plugins/wordpress-console/ So the "exploit" isn't really doing much at that point, unless it can be triggered remotely (e.g, CSRF). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
