WordPress 3.4.2 fails to invalidate a user’s sessions upon logout.
WordPress was originally notified of this issue in November 15, 2012.
CVE number: CVE-2012-5868
Vendor homepage: http://wordpress.com/
Vendor notified: 11/2012
Vendor fixed: N/A
Credit: Christopher Emerson of White Oak Security
Confirmed in self-hosted version WordPress 3.4.2. Other versions may also be affected.
When a user explicitly logs out of the WordPress 3.4.2 Administrator interface via the logout link (https://domainame.com/wp-login.php?action=logout), Wordpress clears the cookies in the user’s browser, but fails to invalidate the session cookie within the application.
A malicious user can take a a previously authenticated user’s session cookie (wordpress_sec), add that cookie to a request for the administrator interface (example https://domainname.com/wp-admin/profile.php), and they will have access to the interface with the same roles and privileges as the original valid user.
This vulnerability lengthens the windows for brute force session identifier guessing attacks and session identifier replay attacks. Successful exploitation would allow attackers to masquerade as the victim within the application.
Since the WordPress does not have server side session management, the application should keep track of session identifiers where a user has explicitly logged out, and prevent those sessions from connecting to the application.
This vulnerability was published publicly on December 17th, 2012.