WordPress is hit again with a major vulnerability. Considering the fact that it’s a free platform, with user-created plugins and themes, that is to be expected. Anything ‘free’ must have it’s cost somewhere.
The latest plugin to be found vulnerable is Disqus(pronounced ‘discuss’). Website security firm, Securi, discovered the flaw in the Disqus Comment System Plugin. Luckily, much like the Tim Thumb flaw, it takes a very specific set of circumstances to exploit this particular vulnerability. According to the Securi blog, the flaw can only be “triggered on servers using WordPress with PHP version 5.1.6 or earlier.” Disqus has released a patch for this particular issue in versions 2.76.
Given the opportunity, a hacker could use this flaw to gain complete control of a website. A hacker could release their customized payload as a comment on the webpage of their desire. Then they would open the ‘Comment Synchronization’ url with the targeted post ID, and ta-da! They’re no running your website’s show.
So, for everyone who may be running an older version of this plugin, you’ll need to follow these instructions:
1. Sign in to your WordPress Administrative panel.
2. Go to Disqus Comment System Plugin.
3. Click Update.
You can also manually update your plugin by overwriting the plugin files directly in the plugin directory, if you are so skilled and inclined.