Nik Cubrilovic

**Name of the Vulnerable Software and Affected Versions** Disqus Comment System plugin versions prior to 2.76 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `step` parameter in the upgrade.php file. **Recommendations** For versions prior to 2.76, update to version 2.76 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Disqus Comment System plugin version 2.77 **Description** The issue affects the Disqus Comment System plugin, allowing remote attackers to hijack the authentication of administrators. This can be achieved through multiple cross-site request forgery (CSRF) vulnerabilities. The vulnerabilities enable attackers to perform actions such as activating or deactivating the plugin, importing comments via an `import comments` action, or exporting comments via an `export comments` action to `wp-admin/index.php`. The vulnerable endpoints include `wp-admin/edit-comments.php` with the `active` parameter. **Recommendations** For Disqus Comment System plugin version 2.77, update the plugin to a version that addresses the CSRF vulnerabilities. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Disqus Comment System plugin versions prior to 2.76 for WordPress **Description** The issue allows remote attackers to hijack the authentication of administrators for requests, conducting cross-site scripting (XSS) attacks. This is achieved via the `disqus replace`, `disqus public key`, or `disqus secret key` parameter to "wp-admin/edit-comments.php" in manage.php, or by resetting or deleting plugin options via the `reset` parameter to "wp-admin/edit-comments.php". **Recommendations** For Disqus Comment System plugin versions prior to 2.76, update to version 2.76 or later to resolve the issue.