CVE-2012-1936

Name of the Vulnerable Software and Affected Versions WordPress versions 3.3.1 and earlier

Description The issue is related to the wp create nonce function, which associates a nonce with a user account instead of a user session. This might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network. Attacks can be demonstrated against the "wp-admin/admin-ajax.php" and "wp-admin/user-new.php" scripts. The vendor reportedly disputes the significance of this issue, stating that wp create nonce operates as intended.

Recommendations For WordPress versions 3.3.1 and earlier, consider updating to a newer version to mitigate the risk of CSRF attacks. As a temporary workaround, restrict access to the "wp-admin/admin-ajax.php" and "wp-admin/user-new.php" scripts to minimize the risk of exploitation. Avoid using the wp create nonce function until the issue is resolved.