WordPress Disqus 2.7.7 Cross Site Request Forgery

2014-08-19 / 2014-08-24

Credit: Voxel

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2014-5346

CWE: CWE-352

Disqus for Wordpress
https://wordpress.org/plugins/disqus-comment-system
Version affected: up to v2.77
CSRF allows for activation and deactivation of the plugin and syncing comments between Disqus servers and the WP database.
They supposedly just fixed the CSRF issues. Ugh. Sorry Nik. Even when you tell them about nonces they still don't get it right.
More details can be found here:
https://vexatioustendencies.com/csrf-in-disqus-wordpress-plugin-v2-77/

References:

http://cxsecurity.com/issue/WLB-2014080055

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Disqus 2.7.7 Cross Site Request Forgery

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.