A researcher has identified several vulnerabilities in the WordPress plugin for Disqus, the popular comment hosting service for websites and online communities.
A total of three flaws have been identified by Nik Cubrilovic, who detailed his findings on his personal blog. The most serious issue he found is a cross-site request forgery (CSRF) affecting the “Manage.php” file, which is used for plugin settings. The problem is that some parameters are passed without proper filtering, enabling an attacker to inject an exploit via CSRF.
The researcher created an example exploit and tried it out in a real-world scenario by sending a spear phishing email to a website administrator. This social engineering part is needed because the victim needs to visit a page set up by the attacker for the exploit to work.
In the same settings file, Cubrilovic noticed that the nonce isn’t checked on submit. A nonce is a one-time token generated by WordPress websites to ensure that repeated, expired or malicious requests are not processed. Developers should use the wp_verify_nonce function on submit in order to verify if a nonce is correct and valid.
The creators of the WordPress plugin for Disqus included a nonce, but failed to verify it on submit, allowing an attacker to use CSRF to trigger the “reset” function or delete any of the plugin’s options, Cubrilovic said.
Finally, the expert identified an unfiltered parameter in the upgrade script which could have been leveraged for a cross-site scripting (XSS) attack.
“The ‘step’ parameter is stored unfiltered and then echo’d out, resulting in an XSS. Code path can be hit when Disqus install is out of date,” Cubrilovic explained in a blog post published on Tuesday.
The vulnerabilities were reported by the researcher to Disqus on June 9 via the [email protected] email address, and they were fixed by the company on June 29 with the release of version 2.7.6, which contains fixes not only for the issues found by Cubrilovic, but also by Alexander Concha and Marc-Alexandre Montpas. In the meantime, Disqus released version 2.7.7 which contains additional security fixes.
The plugin has been downloaded more than 1.4 million times from the official WordPress website so there are plenty of sites on which the security holes can be exploited. That’s why administrators are advised to update their installations as soon as possible.