CVE-2014-5346

Disqus Comment System 2.77 - Cross-Site Request Forgery via Plugin Activation/Deactivation or Comment Import/Export

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5346.

AI-analyzed exploit summary This is a functional CSRF and stored XSS exploit for the Disqus WordPress plugin up to version 2.7.5. It demonstrates how an attacker can reset Disqus settings and inject malicious JavaScript via unfiltered parameters.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin 2.77 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) activate or (2) deactivate the plugin via the active parameter to wp-admin/edit-comments.php, (3) import comments via an import_comments action, or (4) export comments via an export_comments action to wp-admin/index.php.

Exploits (1)

exploitdb WORKING POC

htmlwebappsphp

https://www.exploit-db.com/exploits/34336

View Code ZIP pw:eip

This is a functional CSRF and stored XSS exploit for the Disqus WordPress plugin up to version 2.7.5. It demonstrates how an attacker can reset Disqus settings and inject malicious JavaScript via unfiltered parameters.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Disqus for WordPress (up to v2.7.5)

No auth needed

Prerequisites: Victim must visit a malicious page while logged into WordPress admin

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Aug/46

Exploit x_refsource_misc

https://vexatioustendencies.com/csrf-in-disqus-wordpress-plugin-v2-77

Scores

EPSS 0.0024

EPSS Percentile 47.3%

Details

CWE

CWE-352

Status published

Products (1)

disqus/disqus_comment_system 2.77

Published Aug 19, 2014

Tracked Since Feb 18, 2026