Just days after Disqus updated its WordPress plugin with a patch to CSRF and XSS vulnerabilities, a security researcher has again discovered CSRF vulnerabilities, which the company has seemingly missed out the first time around.
Security researcher Voxel@Night has revealed through a blog post that though Disqus patched a set of vulnerabilities reported by Nik Cubrilovic, the company missed out fixing the CSRF part in the get requests.
According to the researchers, there are three settings in the admin interface that lack nonces. “By exploiting this you can activate or deactivate the plugin, and import or export comments between your wordpress database and disqus”, notes Voxel@Night in a blog post. The researcher lists down three example URLs which are all get request.
The researcher references CSRF vulnerability reported by Cubrilovic and states that the company should have implemented a proper fix for the fact that the problem reported was simple and obvious. “They now verify the nonce for all POST requests, but not for GET requests”, adds the researcher.
The issue still remains and over 1.4 million sites (according to download statistics from WordPress) are still vulnerable.
