WordPress Disqus versions 2.7.5 and below suffer from cross site request forgery and cross site scripting vulnerabilities.
2df5dbf30ee565d7f622d21cfbcd0f06f378ce8494ab640f6e97b5154395387e
Vendor: Disqus for Wordpress -
https://wordpress.org/plugins/disqus-comment-system
Code repo: https://github.com/disqus/disqus-wordpress/
Version affected: up to v2.7.5
15th most popular Wordpress plugin with 1.4M+ installs. Three issues:
CSRF in manage.php, no nonce check on settings reset or delete and
reflected XSS in upgrade.php.
Full details:
https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin/
Reported: June 9th 2014
Patched: June 24th 2014 in v2.7.6
Nik
--
Nik Cubrilovic - http://www.nikcub.com