Vulnerability Description
Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) disqus_replace, (2) disqus_public_key, or (3) disqus_secret_key parameter to wp-admin/edit-comments.php in manage.php or that (4) reset or (5) delete plugin options via the reset parameter to wp-admin/edit-comments.php.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Disqus | Disqus Comment System | <= 2.75 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/127847/WordPress-Disqus-2.7.5-CSRF-Cross-Si
- http://packetstormsecurity.com/files/127852/Disqus-2.7.5-Cross-Site-Request-ForgExploit
- http://seclists.org/fulldisclosure/2014/Aug/35
- http://www.exploit-db.com/exploits/34336Exploit
- http://www.securityfocus.com/bid/69205
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95288
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95289
- https://gist.github.com/nikcub/cb5dc7a5464276c8424a
- https://wordpress.org/plugins/disqus-comment-system/other_notesPatch
- https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-pluginExploit
- http://packetstormsecurity.com/files/127847/WordPress-Disqus-2.7.5-CSRF-Cross-Si
- http://packetstormsecurity.com/files/127852/Disqus-2.7.5-Cross-Site-Request-ForgExploit
- http://seclists.org/fulldisclosure/2014/Aug/35
- http://www.exploit-db.com/exploits/34336Exploit
- http://www.securityfocus.com/bid/69205
FAQ
What is CVE-2014-5347?
CVE-2014-5347 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for reque...
How severe is CVE-2014-5347?
CVE-2014-5347 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-5347?
Check the references section above for vendor advisories and patch information. Affected products include: Disqus Disqus Comment System.