Disqus WordPress Plugin Vulnerable to Hackers


We recently found a security vulnerability in the Disqus Comment System plugin for WordPress. It could, under very specific conditions, allow an attacker to perform arbitrary remote code execution (RCE). In other words, an attacker can do anything he wants with a vulnerable website.

While the flaw itself is very dangerous, it may only be triggered on servers using WordPress with PHP version 5.1.6 or earlier. This also means that only users of WordPress 3.1.4 (or earlier) are vulnerable to it as more recent releases don’t support these older PHP versions.

Knowing that the targeted user base is actually very small, we decided to share our findings publicly now that Disqus released a patch for it (patched version 2.76).

*Every disqus user is still encouraged to upgrade to the latest version asap. read more

%d bloggers like this: