Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerabilities Found in Disqus Plugin for WordPress

A researcher has identified several vulnerabilities in the WordPress plugin for Disqus, the popular comment hosting service for websites and online communities.

A researcher has identified several vulnerabilities in the WordPress plugin for Disqus, the popular comment hosting service for websites and online communities.

A total of three flaws have been identified by Nik Cubrilovic, who detailed his findings on his personal blog. The most serious issue he found is a cross-site request forgery (CSRF) affecting the “Manage.php” file, which is used for plugin settings. The problem is that some parameters are passed without proper filtering, enabling an attacker to inject an exploit via CSRF.

The researcher created an example exploit and tried it out in a real-world scenario by sending a spear phishing email to a website administrator. This social engineering part is needed because the victim needs to visit a page set up by the attacker for the exploit to work.

In the same settings file, Cubrilovic noticed that the nonce isn’t checked on submit. A nonce is a one-time token generated by WordPress websites to ensure that repeated, expired or malicious requests are not processed. Developers should use the wp_verify_nonce function on submit in order to verify if a nonce is correct and valid.

The creators of the WordPress plugin for Disqus included a nonce, but failed to verify it on submit, allowing an attacker to use CSRF to trigger the “reset” function or delete any of the plugin’s options, Cubrilovic said.

Finally, the expert identified an unfiltered parameter in the upgrade script which could have been leveraged for a cross-site scripting (XSS) attack.

“The ‘step’ parameter is stored unfiltered and then echo’d out, resulting in an XSS. Code path can be hit when Disqus install is out of date,” Cubrilovic explained in a blog post published on Tuesday.

The vulnerabilities were reported by the researcher to Disqus on June 9 via the [email protected] email address, and they were fixed by the company on June 29 with the release of version 2.7.6, which contains fixes not only for the issues found by Cubrilovic, but also by Alexander Concha and Marc-Alexandre Montpas. In the meantime, Disqus released version 2.7.7 which contains additional security fixes.

The plugin has been downloaded more than 1.4 million times from the official WordPress website so there are plenty of sites on which the security holes can be exploited. That’s why administrators are advised to update their installations as soon as possible.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.