WordPress ‐ Cross‐Site Request Forgery (CSRF) vulnerability

  • CERT Admin
  • Mon Mar 18 2019
  • Alerts

Systems Affected 

WordPress versions prior to 5.1.1

Threat Level



Allows an attacker to mount cross-site request forgery (CSRF) attack and gain remote code execution.


CSRF issue resides in the WordPress comment section which is one of the core component of the content manage system that comes enabled by default and affects all WordPress installation prior to version 5.1.1. The exploit allows an unauthenticated remote attacker to mount remote code execution and finally gain the full site take-over.

Issues identified within WordPress
  ✦  WordPress doesn't use CSRF validation when a user posts a new comment, allowing attackers to post comments on behalf of an administrator.
  ✦  Comments posted by an administrator accounts are not sanitized can include arbitrary HTML tags, even SCRIPT tags.
  ✦  WordPress frontend is not protected by X-Frame-Options header.


  ✦  Successful exploitation on WordPress websites and full takeover of the affected websites.

Solution/ Workarounds 

  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.




The information provided herein is on "as is" basis, without warranty of any kind.

Last updated: Mon Mar 18 2019