1. Abstract There is and a XSRF under Dean's Permalinks Migration Plugin version 1.0 which allow any attacker to conduct the user to do and a unsolicited action this combined within a XSS bug (also found) in the plugin allows and attacker to gain valid credentials for the WordPress based CMS. 2. Explanation Since the variable $dean_pm_config['oldstructure'] its not correctly sanitized (when retrieving), this allow any user to store/save "malicious code" inside the database and later be injected this "malicious code" when the data is retrieved. Using the XSRF as a "combo" we can create crafted pages that will force users to conduct this injection and steal some valid credentials to the WordPress based CMS. 3. Proof-Of-Concept This is a very innocent and short PoC... You can download this PoC here: http://g30rg3x.com/wp-files/PoC_dpm_10.zip 4. Solution Since i couldn't contact the plugin author by any of the public ways that he left on his website this force me to make and release and a special sub-version for the plugin, version which i call 1.1-gx... This version adds the need protection against the vulnerability and uses some of the WordPress coding standards suggest by the WordPress Developers. You can download this version here: http://g30rg3x.com/wp-files/dpm_11gx.zip 5. Timeline Bug Found: 11/01/2008 Vendor Contact: 12/01/2008 Vendor Response: --/--/-- Public Disclosure: 21/01/2008 Copy: http://g30rg3x.com/xsrf-bajo-deans-permalinks-migration-10/ (Spanish Only) _________________________ g30rg3_x