Vulnerability found with Wordpress and WooCommerce! You might wan't to apply this patch!



X-Frame-Options ALLOW-FROM https://wordpresssite/my-account/ supported by several browsers,

Steps To Reproduce:

  1. Create a new HTML file.
  2. Put <iframe src="https://wordpresssite/my-account/"0"></iframe> in the file.
  3. Save the file.
  4. Open document in browser.


Attacker may trick user, sending them malicious link then user open it clicked some image and their account unconsciously has been deactivated


To fix the vulnerability by adding “frame-ancestors ‘self’;” to the CSP (Content-Security-Policy) header with Nginx, you can add the following line inside your Nginx server block:

add_header Content-Security-Policy "frame-ancestors 'self';";

This will set the frame-ancestors directive of the Content-Security-Policy header to 'self', which means that only your own domain is allowed to embed your page using <frame>, <iframe>, <object>, <embed>, or <applet>


Content-Security-Policy: frame-ancestors ‘self’ is better, because it checks all frame ancestors. You should implement a CSP header to avoid these sorts of attacks.

You’re welcome!



X-Frame-Options ALLOW-FROM https://wordpresssite/my-account/ pris en charge par plusieurs navigateurs.

Étapes pour reproduire:

  1. Créez un nouveau fichier HTML.
  2. Ajoutez <iframe src="https://wordpresssite/my-account/"0"></iframe> dans le fichier.
  3. Enregistrez le fichier.
  4. Ouvrez le document dans un navigateur.


Un attaquant peut tromper l’utilisateur en lui envoyant un lien malveillant. L’utilisateur l’ouvre, clique sur une image et son compte est inconsciemment désactivé.


Pour corriger la vulnérabilité en ajoutant “frame-ancestors ‘self’;” à l’en-tête CSP (Content-Security-Policy) avec Nginx, vous pouvez ajouter la ligne suivante dans votre bloc de serveur Nginx:

add_header Content-Security-Policy "frame-ancestors 'self';";

Cela définira la directive frame-ancestors de l’en-tête Content-Security-Policy sur 'self', ce qui signifie que seul votre propre domaine est autorisé à intégrer votre page à l’aide de <frame>, <iframe>, <object>, <embed> ou <applet>.


Content-Security-Policy: frame-ancestors ‘self’ est mieux, car il vérifie tous les ancêtres de frame. Vous devriez mettre en place un en-tête CSP pour éviter ce genre d’attaques.

De rien!

Is this vulnerability introduced by WooCommerce, or is applicable to Wordpress alone too?

By the way, YunoHost’s /etc/nginx/conf.d/ already includes more_set_headers "X-Frame-Options : SAMEORIGIN";, which seems to have the same effect as CSP “frame-ancestors”.

Might be both, haven’t tested that out yet. But in this case, people might be rather safe than sorry!

Can be, but I still was able to reproduce this issue with the steps I’ve provided;

The actual answer is important because we can’t just be attempting to fix every security issue that any random Wordpress plugin could introduce …