SecurityHome.eu Security vulnerability: WordPress Disqus 2.7.5 CSRF / Cross Site Scripting

Home / vulnerabilities PDF

WordPress Disqus 2.7.5 CSRF / Cross Site Scripting
Posted on 13 August 2014
Source : packetstormsecurity.org Link

Vendor: Disqus for Wordpress -
https://wordpress.org/plugins/disqus-comment-system
Code repo: https://github.com/disqus/disqus-wordpress/
Version affected: up to v2.7.5

15th most popular Wordpress plugin with 1.4M+ installs. Three issues:
CSRF in manage.php, no nonce check on settings reset or delete and
reflected XSS in upgrade.php.

Full details:

https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin/

Reported: June 9th 2014
Patched: June 24th 2014 in v2.7.6

Nik

--
Nik Cubrilovic - http://www.nikcub.com

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Exploits :

Relate Cross Site Scripting
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Insecure Direct Object Reference
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Insecure Direct Object Reference

Last 20