{"id":19348,"date":"2012-08-12T12:22:46","date_gmt":"2012-08-12T12:22:46","guid":{"rendered":"https:\/\/wordpress.org\/plugins-wp\/baw-anti-csrf\/"},"modified":"2013-09-12T13:17:18","modified_gmt":"2013-09-12T13:17:18","slug":"baw-anti-csrf","status":"closed","type":"plugin","link":"https:\/\/dzo.wordpress.org\/plugins\/baw-anti-csrf\/","author":6016133,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.5.2","stable_tag":"trunk","tested":"3.6.1","requires":"3.1","requires_php":"","requires_plugins":"","header_name":"BAW Anti CSRF","header_author":"juliobox","header_description":"","assets_banners_color":"fdf6f5","last_updated":"2013-09-12 13:17:18","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/www.paypal.com\/cgi-bin\/webscr?cmd=_s-xclick&hosted_button_id=RB7646G6NVPWU","header_plugin_uri":"http:\/\/www.boiteaweb.fr\/","header_author_uri":"http:\/\/boiteaweb.fr\/plugin-anti-csrf-wordpress-faille-3556.html","rating":5,"author_block_rating":0,"active_installs":30,"downloads":9315,"num_ratings":2,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":[],"upgrade_notice":{"":"<p>Nothing.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":"2"},"assets_icons":[],"assets_banners":{"banner-772x250.png":{"filename":"banner-772x250.png","revision":"584538","resolution":"772x250","location":"assets"}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":[],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":"604513","resolution":"1","location":"assets"},"screenshot-2.png":{"filename":"screenshot-2.png","revision":"604513","resolution":"2","location":"assets"}},"screenshots":{"1":"On update page, clic MY link or die. ;)","2":"Example of my own die with support proposal ;)"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[11153,600,6460,11154],"plugin_category":[54],"plugin_contributors":[78208],"plugin_business_model":[],"class_list":["post-19348","plugin","type-plugin","status-closed","hentry","plugin_tags-csrf","plugin_tags-security","plugin_tags-vulnerability","plugin_tags-xsrf","plugin_category-security-and-spam-protection","plugin_contributors-juliobox","plugin_committers-juliobox"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/baw-anti-csrf_fdf6f5.svg","icon_2x":false,"generated":true},"screenshots":[{"src":"https:\/\/ps.w.org\/baw-anti-csrf\/assets\/screenshot-1.png?rev=604513","caption":"On update page, clic MY link or die. ;)"},{"src":"https:\/\/ps.w.org\/baw-anti-csrf\/assets\/screenshot-2.png?rev=604513","caption":"Example of my own die with support proposal ;)"}],"raw_content":"<!--section=description-->\n<p>The <a href=\"http:\/\/en.wikipedia.org\/wiki\/Cross-site_request_forgery\">CSRF<\/a> vulnerability is the most famous web vulnerability, since ... i do not remember, too long !<\/p>\n\n<p>Many WordPress plugin (about 70%) from this repository or elsewhere, even Premim plugins are vunerable to this flaw.<\/p>\n\n<p>To avoid get hacked because os this, just install this plugin, no settings, no tech. Just use your blog as usual.<\/p>\n\n<p>! ONLY FOR BACK-END USAGE !<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Extract the plugin folder from the downloaded ZIP file.<\/li>\n<li>Upload BAW Anti CSRF folder to your \/wp-content\/plugins\/ directory.<\/li>\n<li>Activate the plugin from the \"Plugins\" page in your Dashboard.<\/li>\n<li>That's all<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt>Why do i have to link on your link when i'm on an update page ?<\/dt>\n<dd><ul>\n<li>Because i'm using a buffer to modify each form and action link, but WordPress clear this buffer before me on this page :( The link is just a Dashboard link.<\/li>\n<\/ul><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.5.2<\/h4>\n\n<ul>\n<li>12 sep 2012<\/li>\n<li>Little fix bug fro my code Improvment <em>sight<\/em><\/li>\n<\/ul>\n\n<h4>1.5.1<\/h4>\n\n<ul>\n<li>12 sep 2012<\/li>\n<li>Little code Improvment<\/li>\n<\/ul>\n\n<h4>1.5<\/h4>\n\n<ul>\n<li>04 sep 2012<\/li>\n<li>Fix bug : wp_create_nonce undefined (hooked too soon)<\/li>\n<\/ul>\n\n<h4>1.4<\/h4>\n\n<ul>\n<li>04 sep 2012<\/li>\n<li>Add filter on admin_url() and network_admin_url() to add my nonce.<\/li>\n<\/ul>\n\n<h4>1.3<\/h4>\n\n<ul>\n<li>03 sep 2012<\/li>\n<li>1.1 rollback, i have to keep the real nonces functions.<\/li>\n<\/ul>\n\n<h4>1.2<\/h4>\n\n<ul>\n<li>11 sep 2012<\/li>\n<li>Add more security using a message between a link without token, more annoying i admit, but more secure.<\/li>\n<\/ul>\n\n<h4>1.1.5<\/h4>\n\n<ul>\n<li>16 aug 2012<\/li>\n<li>Bug fix for Redirection (bad JS on my side x2)<\/li>\n<\/ul>\n\n<h4>1.1.4<\/h4>\n\n<ul>\n<li>13 aug 2012<\/li>\n<li>Bug fix for Jetpack (bad JS on my side)<\/li>\n<\/ul>\n\n<h4>1.1.3<\/h4>\n\n<ul>\n<li>13 aug 2012<\/li>\n<li>Bug fix for some link without my nonce<\/li>\n<\/ul>\n\n<h4>1.1.2<\/h4>\n\n<ul>\n<li>13 aug 2012<\/li>\n<li>Bug fix for l10n load<\/li>\n<\/ul>\n\n<h4>1.1.1<\/h4>\n\n<ul>\n<li>13 aug 2012<\/li>\n<li>Not a big deal, just forgot to add the plugin version in die support.<\/li>\n<\/ul>\n\n<h4>1.1<\/h4>\n\n<ul>\n<li>12 aug 2012<\/li>\n<li>Bug fix on redirection with wp_redirect()<\/li>\n<li>Better own wp_die to explain and give support<\/li>\n<li>Use my own nonces functions (clone from WP core) to avoid malicious plugins that can bypass mine<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>12 aug 2012<\/li>\n<li>Bug fix for default code ajax actions<\/li>\n<\/ul>\n\n<h4>1.0<\/h4>\n\n<ul>\n<li>12 aug 2012<\/li>\n<li>First Release<\/li>\n<\/ul>\n\n<h4>0.1b, 0.2b, 0.3b<\/h4>\n\n<ul>\n<li>3 betas versions tested by @rochdaniel, @screenfeedfr, @gcroupie, @tmaquet, @geekpressfr, thanks dudes!<\/li>\n<\/ul>","raw_excerpt":"The CSRF vulnerability is the most famous web vulnerability, since ... i do not remember, too long !","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/dzo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/19348","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dzo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/dzo.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/dzo.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=19348"}],"author":[{"embeddable":true,"href":"https:\/\/dzo.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/juliobox"}],"wp:attachment":[{"href":"https:\/\/dzo.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=19348"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/dzo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=19348"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/dzo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=19348"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/dzo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=19348"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/dzo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=19348"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/dzo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=19348"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}