Disqus WordPress Plugin Vulnerability
A vulnerability has been discovered in the Disqus plugin for WordPress allowing for Remote Code Execution. The Disqus plugin is used on nearly 2 million WordPress blogs.
Who is Vulnerable?
A remote attacker could successfully execute remote code provided the following version of software are true:
- PHP <= 5.1.6
- WordPress <= 3.1.4
- Disqus Plugin <= 2.75
How it Works
A specially crafted comment on a WordPress post, such as {${phpinfo()}}
, followed by opening the comment synchronization URL http://www.example.com/?cf_action=sync_comments&post_id=TARGET_POST_ID
, is all that is needed to execute remote code.
How do I Fix It?
Log into your WordPress administration panel and update the Disqus plugin.
Make sure PHP is up-to-date with the latest version.
Visited 1 times, 1 visit(s) today
Leave a Reply