WordPress Disqus 2.7.5 CSRF / Cross Site Scripting

2014.08.13
Credit: Nik Cubrilovic
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352

Vendor: Disqus for Wordpress - https://wordpress.org/plugins/disqus-comment-system Code repo: https://github.com/disqus/disqus-wordpress/ Version affected: up to v2.7.5 15th most popular Wordpress plugin with 1.4M+ installs. Three issues: CSRF in manage.php, no nonce check on settings reset or delete and reflected XSS in upgrade.php. Full details: https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin/ Reported: June 9th 2014 Patched: June 24th 2014 in v2.7.6 Nik -- Nik Cubrilovic - http://www.nikcub.com

References:

https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top