Source: contact@wpscan.com
The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.
Attackers can completely compromise WordPress websites using the Comments plugin by impersonating any user, including administrators, through a flaw in the Disqus integration. This allows for unauthorized access, data theft, and complete site takeover. Immediate patching is critical to prevent widespread exploitation.
Step 1: Target Selection: The attacker identifies a WordPress website using the vulnerable Comments plugin and determines the target user's email address (e.g., an administrator). Step 2: Disqus Account Creation (Optional): If the target user doesn't have a Disqus account, the attacker doesn't need to create one. The vulnerability allows for the creation of an account on the fly. Step 3: Login Attempt: The attacker initiates a login attempt through the Comments plugin's Disqus integration, providing the target user's email address. Step 4: Authentication Bypass: The plugin, due to the vulnerability, trusts the provided email address without proper validation against the Disqus service. Step 5: Account Creation/Login: The plugin either creates a new Disqus account associated with the target email (if one doesn't exist) or logs the attacker in as the target user. Step 6: Privilege Escalation: The attacker now has access to the WordPress account associated with the target email, allowing them to perform actions based on the user's role (e.g., administrator access).
The vulnerability stems from insufficient user identity validation within the Comments plugin when handling Disqus authentication. The plugin fails to properly verify the user's identity against the Disqus service before allowing a login. Specifically, the plugin trusts the email address provided by the user, and if the email address doesn't exist on Disqus, the plugin creates a new Disqus account for the user, effectively allowing an attacker to create an account with any email address and then log in as the WordPress user associated with that email. The root cause is a missing or inadequate check on the Disqus side to verify the user's identity, coupled with the plugin's trust in the client-supplied email address, leading to an authentication bypass.
This vulnerability poses a significant threat to all WordPress websites using the affected plugin. While no specific APT groups are directly linked at this time, the ease of exploitation makes it attractive to a wide range of attackers, including script kiddies and financially motivated cybercriminals. CISA KEV status: Likely to be added quickly after public disclosure.
Monitor WordPress access logs for suspicious login attempts, especially those originating from unusual IP addresses or user agents.
Analyze the Comments plugin's logs for any errors or unusual activity related to Disqus authentication.
Implement intrusion detection rules to identify attempts to exploit the vulnerability, such as unusual requests to the Disqus authentication endpoint with forged email addresses.
Monitor for the creation of new user accounts with suspicious email addresses, particularly those that match known administrative or privileged user accounts.
Network traffic analysis for unusual patterns related to the Disqus API calls.
Update the Comments WordPress plugin to version 7.6.40 or later immediately. This is the primary and most effective remediation step.
Review and audit user accounts for any unauthorized access or suspicious activity.
Implement multi-factor authentication (MFA) for all WordPress user accounts, especially administrators.
Regularly back up the WordPress database and files to facilitate recovery in case of a successful attack.
Review and harden the WordPress configuration to limit the attack surface.
Monitor the website for any signs of compromise, such as unexpected file changes or unauthorized user accounts.