In the ongoing discussion about check_admin_referer, and how CSRF attacks can be used to trick administrators into deleting posts from their blogs, I missed another attack suggested by Paul Mitchell. This attack only affects blogs that allow users to register and submit drafts. However for those sites it’s a nuclear attack.
Because drafts can contain images (which comments usually can’t, by default) this attack enables any user to delete every post. A malicious user simply has to post a draft (not even a published article) that contains
img elements pointing to the delete links. As soon as an administrator views the draft, all the referenced articles are immediately deleted. The administrator does not even have to follow a link. The same attack can work to delete comments as well.
Once again this is caused by a failure to adhere to REST, specifically the use of GET to delete posts and comments. Paul’s working on fixing this one; but the main trunk of WordPress development are still burying their heads in sand and blaming the message bearer.
In the meantime, if you’re allowing arbitrary users to submit drafts to your WordPress blog, stop. Do not grant arbitrary users any role other than “Subscriber.” Only users you trust should be allowed to submit drafts or publish articles directly. Everyone else should go through e-mail or some other non-WordPress mechanism. Yes, it’s less convenient; but until WordPress is patched to fix this (perhaps sometime in the next decade or two) this is the only way to maintain a secure installation.