There are several cross site request forgery vulnerabilities in the Disqus WordPress Plugin, version 2.77. Let’s start with the technical details, then I’ll get to the commentary.
Three settings in the admin interface lack nonces. By exploiting this you can activate or deactivate the plugin, and import or export comments between your wordpress database and disqus. Example URLs:
http://wptestbox1.dev/wordpress/wp-admin/edit-comments.php?page=disqus&active=0
http://wptestbox1.dev/wordpress/wp-admin/index.php?cf_action=export_comments&post_id=0×tamp=1408220878.213
http://wptestbox1.dev/wordpress/wp-admin/index.php?cf_action=import_comments&last_comment_id=0&wipe=1
These are all just simple GET requests. There is nothing terribly interesting in the plugin’s code related to this. It is just the simple lack of a nonce (for GET requests).
Read more