A vulnerability has been discovered in the Disqus plugin for WordPress allowing for Remote Code Execution. The Disqus plugin is used on nearly 2 million WordPress blogs.

Who is Vulnerable?

A remote attacker could successfully execute remote code provided the following version of software are true:

  • PHP <= 5.1.6
  • WordPress <= 3.1.4
  • Disqus Plugin <= 2.75

How it Works

A specially crafted comment on a WordPress post, such as {${phpinfo()}}, followed by opening the comment synchronization URL http://www.example.com/?cf_action=sync_comments&post_id=TARGET_POST_ID, is all that is needed to execute remote code.

How do I Fix It?

Log into your WordPress administration panel and update the Disqus plugin.

Make sure PHP is up-to-date with the latest version.