Disqus Patch Critical Security Flaws in its WordPress Plugins
Disqus Patch Critical Security Flaws in WordPress Plugins, Security issue in Disqus plugins, Disqus vulnerability, hack disqus comment box
There were three vulnerabilities that has been patched in version 2.76 of Disqus plugin and among that CSRF flaw was the critical bug. CSRF vulnerability was in the manage.php module of the plugin. CSRF flaws are quite common in web applications and plugins and have become a common attack vector.
Nik Cubrilovic, the researcher who discovered and reported the Disqus flaws, wrote -
“The parameters disqus_replace, disqus_public_key and disqus_secret_key are being passed to WordPress’s update_option function directly with no filtering. Thedocumentation for update_option says that it will take any value passed to it and store it in the database. It is up to the plugin author to filter and validate variables here, since there are cases where you want to store HTML or other types of raw data,”In order to exploit the vulnerability, an attacker could set up a malicious site with the exploit code on it and inject it into the user’s browser via the CSRF- Cubrilovic said. He said that he had used the exploit in a live penetration test for a client by sending the link in a spearphishing email to an administrator.
The other two vulnerability that Cubrilovic discovered was cross-site scripting (XSS) and other could be used to reset or delete the options in the Disqus plugin, which have less severity.
What to Do Now ?
So our reader who are using Disqus plugins in there blog or site, are recommended to update their disqus plugin in order to patch the above discussed vulnerabilities. WordPress users should be able to update their Disqus plugin by signing into their WordPress administrative panel > Disqus Comment System plugin > drop-down at the top or bottom of the page > click “Update.” Users can also manually update the plugin by overwriting the plugin files directly into the WordPress’ plugin directory.