wordpress-logos-300px-24

WordPress 3.6 Post/Media/Pages User-Forging

This works for post,media and pages. This bug will allow normal users to forge their identity and create a post/media/pages as other users.

Based on our research so far, this allows for a user to post as another user, but this means that A) they must already be allowed to publish content, and B) they then lose the ability to edit that post. This of course is bad when you start to consider the possibility of a compromised account, or when combined with some other vulnerability or workflow that allows for an untrusted person to publish a post. It could also be dangerous on multisite, as any user on the network can be forged. – A response from WordPress

Tested on Windows 7 and Backtrack Linux.
Browsers: Firefox
Firefox Plugin uses: Tamper Data
Wordpress Version: 3.6 Latest Version

POC
Forging your post/media/pages

Post User-Forging (users must have the permission to make posts) Tested with author permission
1) Add new post or edit an old post
2)  Before you press submit or update. Open up tamper data and start tampering.
3) Press submit / update in wordpress
4) Change the value of these following parameters
user_ID, post_author
to make an admin post clearly type in 1 for the value of these parameterswordpressuserforge1
5) Submit
6) You should now see that the owner of the userid you inputted earlier made the post you just made.

Media User-forging (You will need any account with a permission to create media files)
1) First add a new media file
2) Edit the media file
3) Press update
4) Tamper the data just like before
5) Change the value of these following parameters
user_ID, post_author
to make an admin post clearly type in 1 for the value of these parameters
6) Submit
7) You should now see that the owner of the userid you inputted earlier created the media file

Pages User-forging
1) Same concept

Vulnerable File:
wp-admin/includes/post.php
Vulnerable Code/Line:
if ( !isset($post_data[‘user_ID’]) )
$post_data[‘user_ID’] = $GLOBALS[‘user_ID’];

http://core.trac.wordpress.org/changeset/25316
http://wordpress.org/news/2013/09/wordpress-3-6-1/