1. whois

5.3.4
Wordpress.com
We found that Wordpress.com was vulnerable to the Unex-
pired Session and Unexpired Email Change Attacks.

Unexpired Session Attack. In the Victim action phase,
when the victim tried to create an account with their email
address, Wordpress.com notified the victim that an account
already exists and provided the option to sign in to the account
via a one-time link sent to the victim’s email address. As long
as the victim makes use of this option (i.e., does not reset
their password), the attacker can maintain their access to the
account. However, even once the victim sets a new password,
the attacker’s earlier session will not be invalidated, allowing
the attacker to retain access potentially indefinitely if the
session is kept active.
Unexpired Email Change Attack. Similarly to the first
case study, in order to successfully execute this attack, the
attacker would need to perform a CSRF-like attack in the
Attack phase.
A successful attack on Wordpress.com would allow the
attacker to maliciously modify the websites managed by the
victim and sign in to other services where the victim uses
Wordpress.com as an IdP. When we reported our findings to
Wordpress.com via HackerOne in June 2021, the reports were
marked as “Not Applicable”. These vulnerabilities were not
present in the self-hosted version of the Wordpress software
because it required all self-registered users to verify their
email addresses before allowing them to perform any actions.

2. history

CategoryDns CategoryWatch CategoryTemplate