WordPress – CSRF>XSS>Shell>Profit.

I did a small penetration test in 2013/14 for a client’s WordPress site, which has since been my go-to anecdote for explaining the potential for XSS… probably because, to non-sec folk, what it achieved sounds amazing, although its really rather easy to explain how and why it worked. This is that anecdote…