Comment form CSRF in WordPress 4.2.2 allows admin impersonation via comments


Last revised:

When posting comments,WordPress does not require a nonce value (unless posting unfiltered HTML). This means that an attacker can force a logged-in user to post arbitrary comments.

For this to happen, the logged-in user would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing.

The line which verifies the nonce when using unfiltered HTML is line 154 of wp-comments-post.php.

EDIT: this issue has been known about since 2009, but it appears that no fix is planned

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 4.3 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Log in, visit an URL containing the following (replacing localhost as appropriate, replacing 1 with the ID of a post), click submit:

<form method="POST" action="http://localhost/wp-comments-post.php">
  <input type="text" name="comment_post_ID" value="1">
  <input type="text" name="comment" value="UH OH">
  <input type="submit">

(In a real attack the form can be made to auto-submit using Javascript)

Advisory timeline

  • 2009-10-19: Ticket raised by mtdewvirus
  • 2014-03-20: Discovered independently by dxw
  • 2015-07-14: Reported to
  • 2015-07-14: Requested CVE
  • 2015-07-17: Response from
  • 2015-08-05: Published

Mitigation/further actions

Disable comments until a new version is released that fixes this bug