Security issue with CORS

  • Resolved sdeblebo

    (@sdeblebo)


    7 years, 4 months ago

    We have had our WordPress multi site installation scanned for vulnerabilities. The report is coming back with the following issues:

    ——

    HIGH: HTML5 Cross Origin Resource Sharing (CORS) policy permits any origin. The HTTP request was modified to include a CORS header specifying https://….appcheck-ng.com as the origin domain.

    The inclusion of the access-control-allow-credentials header means that the site permits authenticated requests using cookies.

    MEDIUM: HTML5 Cross Origin Resource Sharing (CORS) policy permits wildcard domains. Attack URL https://…./wp-json/oembed/1.0/embed?

    The HTTPS application implements an HTML5 Cross-Origin Resource Sharing (CORS) policy that permits wildcard origins with the same parent domain as the target. The affected endpoint also permits cookies via the Access-Control-Allow-Credentials header.

    ——

    Does anyone have experience of this issue and how to fix it?

    Many thanks,

    Steve

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Security issue with CORS’ is closed to new replies.