Web Hosting
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WordPress fix Security issue with CORS

Discussion in 'Misc WordPress Requests' started by sdeblebo, Nov 1, 2017.

  1. sdeblebo

    Guest

    Security issue with CORS, by sdeblebo

    We have had our WordPress multi site installation scanned for vulnerabilities. The report is coming back with the following issues:

    ——

    HIGH: HTML5 Cross Origin Resource Sharing (CORS) policy permits any origin. The HTTP request was modified to include a CORS header specifying http://….appcheck-ng.com as the origin domain.

    The inclusion of the access-control-allow-credentials header means that the site permits authenticated requests using cookies.

    MEDIUM: HTML5 Cross Origin Resource Sharing (CORS) policy permits wildcard domains. Attack URL https://…./wp-json/oembed/1.0/embed?

    The HTTPS application implements an HTML5 Cross-Origin Resource Sharing (CORS) policy that permits wildcard origins with the same parent domain as the target. The affected endpoint also permits cookies via the Access-Control-Allow-Credentials header.

    ——

    Does anyone have experience of this issue and how to fix it?

    Many thanks,

    Steve

    Security issue with CORS
     
    #1

Share This Page

Web Hosting