CSRF to add admin [wordpress]

This researcher discovered that WordPress was vulnerable to CSRF attacks when Flash files are uploaded to the application with extensions matching trusted file types, since the Flash plugin will load/run the file in certain cases, regardless of the extension and Content-Type header of that file. To resolve this issue, WordPress implemented more strict file-type checks on uploaded files to limit the ability for flash files to be uploaded.