EDIT: Thank you Connie for bringing up the issue about the PacketStorm advisory regarding this issue. I’ve added a link to that advisory at the bottom of this post.
Over at Weblog Tools Collection, an article was posted earlier today regarding a vulnerability in version 1.0 of the Deans Permalinks Migration Plugin. The said vulnerability involves XSRF or Cross-site request forgery and allow the attacker to steal valid credentials.
The person who found out about this vulnerability and goes by the name g30rg3_x has an explanation for this vulnerability:
Since the variable $dean_pm_config[’oldstructure’] its not correctly sanitized (when retrieving), this allow any user to store/save “malicious code” inside the database and later be injected this “malicious code” when the data is retrieved. Using the XSRF as a “combo” we can create crafted pages that will force users to conduct this injection and steal some valid credentials to the WordPress based CMS.
As a normal procedure or etiquette for developers and programmers, g30rg3_x contacted the plugin author first to notify him about the vulnerability. But after several failed attempts, he took it upon himself to create and provide a fix for this plugin vulnerability.
If you’re currently using the Dean’s Permalink Migration Plugin version 1.0, it is strongly advised that you deactivate it and/or download/install the modified version to keep your blog secure. You can download the special sub-version 1.1-gx here.
If you want to read the PacketStorm advisory regarding the Dean’s Permalinks Migration Plugin vulnerability, click here. You can find this at page 20 of PacketStorm’s January advisory archives.
Hopefully no one gets victimized by this vulnerability. Have a fun and safe weekend everyone!