CVE-2014-4163

WordPress Featured Comments 1.2.1 - CSRF

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-4163. PoCs published by Tom Adams.

AI-analyzed exploit summary This is a proof-of-concept for a CSRF vulnerability in the Featured Comments WordPress plugin. It demonstrates how an attacker can trick a logged-in user into submitting a malicious request to feature a comment via a crafted HTML form.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the Featured Comments plugin 1.2.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that change the (1) buried or (2) featured status of a comment via a request to wp-admin/admin-ajax.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Tom Adams · textwebappsphp

https://www.exploit-db.com/exploits/39213

View Code ZIP pw:eip

This is a proof-of-concept for a CSRF vulnerability in the Featured Comments WordPress plugin. It demonstrates how an attacker can trick a logged-in user into submitting a malicious request to feature a comment via a crafted HTML form.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Featured Comments plugin for WordPress 1.2.1

Auth required

Prerequisites: Victim must be logged into WordPress admin panel · Attacker must trick victim into submitting the form

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Jun/62

Scores

EPSS 0.0232

EPSS Percentile 81.2%

Details

CWE

CWE-352

Status published

Products (1)

featured_comments_plugin_project/featured_comments 1.2.1

Published Jun 16, 2014

Tracked Since Feb 18, 2026