Published on June 30th, 2014 📆 | 5533 Views ⚑


Remote Code Execution Vulnerabilty in Disqus Leaves Millions of Blogs Vulnerable


The security team at the security firm Sucuri discovered a critical Remote Code Execution (RCE) flaw while analyzing some custom JSON parser of the Disqus plugin and found that the variable parsing function could allow anyone to execute commands on the server using insecurely coded PHP eval() function.


The Remote Code Execution (RCE) Vulnerability could be triggered by a remote attacker, only if it is using following application versions on the server/website.
  • PHP version 5.1.6 or earlier
  • WordPress 3.1.4 or earlier
  • WordPress Plugin Disqus Comment System 2.75 or earlier

For successful exploitation an attacker can push its custom payload, for example {${phpinfo()}} as a comment on the targeted post/page and then he only need to open the following ‘Comment Synchronization’ url with the targeted post ID in order to take advantage of the vulnerability.


While the flaw itself is very dangerous” reads the blog post. “That's it, looks simple right? So if you are using an outdated version of WordPress/PHP, you need to update Disqus asap.
[adsense size='1']
At the beginning of the month, the same security researchers’ team at Sucuri, discovered a critical vulnerability in the content management platform, All in One SEO Pack, a plugin that optimizes WordPress for search engines, which potentially left millions of websites vulnerable to the attackers.
If left unpatched, the flaw could allow any potential attacker to do anything he wants with a vulnerable website. So, it is highly recommended to those using an outdated versions of WordPress, Disqus Comment Plugin 2.76 and PHP to upgrade to the latest version as soon as possible.

WordPress users should be able to update their Disqus plugin by signing into their WordPress administrative panel > Disqus Comment System plugin > drop-down at the top or bottom of the page > click “Update.” Users can also manually update the plugin by overwriting the plugin files directly into the WordPress’ plugin directory.

Tagged with:

Comments are closed.