[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Multiple Vulnerabilities in Disqus for Wordpress v2.7.5

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Multiple Vulnerabilities in Disqus for Wordpress v2.7.5
From: Nik Cubrilovic <nikcub@xxxxxxxxx>
Date: Wed, 13 Aug 2014 07:21:16 +1000

Vendor: Disqus for Wordpress -
https://wordpress.org/plugins/disqus-comment-system
Code repo: https://github.com/disqus/disqus-wordpress/
Version affected: up to v2.7.5

15th most popular Wordpress plugin with 1.4M+ installs. Three issues:
CSRF in manage.php, no nonce check on settings reset or delete and
reflected XSS in upgrade.php.

Full details:

https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin/

Reported: June 9th 2014
Patched: June 24th 2014 in v2.7.6

Nik



--
Nik Cubrilovic - http://www.nikcub.com

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] CVE-2014-5035 - Opendaylight Vulnerable to Local and Remote File Inclusion in the Netconf (TCP) Service
Next by Date: Re: [FD] Beginners error: QuickTime for Windows runs rogue program C:\Program.exe when opening associated files
Previous by thread: [FD] CVE-2014-5035 - Opendaylight Vulnerable to Local and Remote File Inclusion in the Netconf (TCP) Service
Next by thread: [FD] mind tricks and other hacks
Index(es):
- Date
- Thread