As some of you may have heard, a number of CSRF (Cross-site Request Forgery) vulnerabilities were discovered in the Disqus plugin for WordPress by Nik Cubrilovic not too long ago.
The biggest of these issues was unfiltered, potentially harmful data being passed straight to the database without proper sanitization. Though this was being filtered on output, Disqus’s debug mode could potentially be used to extract this raw data and inject harmful code. There were also some issues with nonce checks on various POST requests and a vulnerability in the plugin’s upgrade script.
Luckily, the Disqus team moved very quickly to patch these vulnerabilities and released two subsequent updates since June, which addressed these issues.
Over the weekend, researcher Voxel@night discovered an additional vulnerability in the plugin, though a far less intrusive one. While all of the POST requests that are being made to the plugin were addressed with nonce checks in the latest update of the plugin, GET requests still remain open to a CSRF attack. What’s the difference? POST requests are far more harmful, allowing users to inject potentially malicious code straight into the database. GET requests can only be used to retrieve data from the plugin or initiate a sync.
In version 2.77, these requests can be used to activate or deactivate the plugin, import and export comments, and sync comments between Disqus and a WordPress install. And without a proper nonce check, these requests can be made through the browser.
As I mentioned, this new problem is a fairly small issue, as the database cannot be directly manipulated. I reached out to the Disqus team, and they assured me that the issue is being addressed and will hopefully patch the bug soon. If you have the Disqus plugin installed, keep your eyes out for an update in the near future.
Jay Hoffmann is a WordPress developer hailing from NYC. In the strictest sense of the word, he is a WordPress enthusiast with an eye for front-end development and design. He has been working with WordPress since 2006 and currently works for a popular children’s media company. This year, Jay started Tidy Repo, a curated list of the best and most reliable plugins from around the web. You can also follow Jay on Twitter.