CVSS Summary
| Score | 4.3 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | None |
| Integrity | Partial |
| Availability | None |
Advisory:
Comment form CSRF in WordPress 4.2.2 allows admin impersonation via comments
Vulnerability
Last revised:
When posting comments,WordPress does not require a nonce value (unless posting unfiltered HTML). This means that an attacker can force a logged-in user to post arbitrary comments.
For this to happen, the logged-in user would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing.
The line which verifies the nonce when using unfiltered HTML is line 154 of wp-comments-post.php.
EDIT: this issue has been known about since 2009, but it appears that no fix is planned https://core.trac.wordpress.org/ticket/10931
Current state: Reported
Proof of concept
Log in, visit an URL containing the following (replacing localhost as appropriate, replacing 1 with the ID of a post), click submit:
<form method="POST" action="http://localhost/wp-comments-post.php"> <input type="text" name="comment_post_ID" value="1"> <input type="text" name="comment" value="UH OH"> <input type="submit"> </form>
(In a real attack the form can be made to auto-submit using Javascript)
Advisory timeline
- 2009-10-19: Ticket raised by mtdewvirus
- 2014-03-20: Discovered independently by dxw
- 2015-07-14: Reported to security@wordpress.org
- 2015-07-14: Requested CVE
- 2015-07-17: Response from nikolay@automattic.com
- 2015-08-05: Published
Mitigation/further actions
Disable comments until a new version is released that fixes this bug