WordPress AnyComment plugin <= 0.2.17 - Arbitrary HyperComments Import/Revert via CSRF vulnerability

Arbitrary HyperComments Import/Revert via CSRF vulnerability discovered by Brandon Roldan in WordPress AnyComment plugin versions = 0.2.17. Solution Update the WordPress AnyComment plugin to the latest available version at least 0.2.18...

AnyComment < 0.2.18 - Arbitrary HyperComments Import/Revert via CSRF

The plugin does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack Go to https://example.com/wordpress/wp-admin/admin.php?r=import%2Fhypercomments&url=http://, and you will see a get request in yo...

AnyComment < 0.2.18 - Arbitrary HyperComments Import/Revert via CSRF

The plugin does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack PoC Go to https://example.com/wordpress/wp-admin/admin.php?r=import%2Fhypercomments=http://, and you will see a get request in yo...

HyperComments <= 1.2.2 - Unauthenticated Arbitrary File Deletion

The plugin does not validate and sanitise user input which is being concatenated to create a file path, passed to unlink, which leads to an arbitrary file deletion issue. For more details about this issue, please see the reference. PoC File: hypercomments/hypercomments.php:112 $filename =...

HyperComments <= 1.2.2 - Unauthenticated Arbitrary File Deletion

The plugin does not validate and sanitise user input which is being concatenated to create a file path, passed to unlink, which leads to an arbitrary file deletion issue. For more details about this issue, please see the reference. File: hypercomments/hypercomments.php:112 $filename =...

WordPress HyperComments plugin <= 1.2.2 - Unauthenticated Arbitrary File Deletion vulnerability

Unauthenticated Arbitrary File Deletion vulnerability found by Lenon Leite in WordPress HyperComments plugin versions = 1.2.2. Solution 2020-12-09 - we were unable to find a patched version of this plugin. There's only note from wordpress.org available: "This plugin has been closed as of November...

hypercomments.com Open Redirect vulnerability

Vulnerable URL: https://www.hypercomments.com/api/go?url=https://www.openbugbounty.org Details: Description| Value ---|--- Patched:| No Latest check for patch:| 27.07.2017 Vulnerability type:| Open Redirect Vulnerability status:| Publicly disclosed Alexa Rank| 40870 VIP website status:| Yes Check...

hypercomments.com Open Redirect vulnerability

Open Bug Bounty ID: OBB-50256 Description| Value ---|--- Affected Website:| hypercomments.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...