CVE-2014-5347

Disqus Comment System < 2.76 - Cross-Site Request Forgery via Multiple Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5347. PoCs published by Nik Cubrilovic.

AI-analyzed exploit summary This exploit demonstrates a CSRF and stored XSS vulnerability in the Disqus for WordPress plugin up to version 2.7.5. It submits a malicious form to reset Disqus settings and injects a script payload via the 'disqus_public_key' parameter.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) disqus_replace, (2) disqus_public_key, or (3) disqus_secret_key parameter to wp-admin/edit-comments.php in manage.php or that (4) reset or (5) delete plugin options via the reset parameter to wp-admin/edit-comments.php.

Exploits (1)

exploitdb WORKING POC

by Nik Cubrilovic · htmlwebappsphp

https://www.exploit-db.com/exploits/34336

View Code ZIP pw:eip

This exploit demonstrates a CSRF and stored XSS vulnerability in the Disqus for WordPress plugin up to version 2.7.5. It submits a malicious form to reset Disqus settings and injects a script payload via the 'disqus_public_key' parameter.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Disqus for WordPress up to v2.7.5

Auth required

Prerequisites: Victim must be authenticated as an admin · Victim must visit the malicious page

MITRE ATT&CK