The plugin does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack
Go to https://example.com/wordpress/wp-admin/admin.php?r=import%2Fhypercomments&url;=http://, and you will see a get request in your server logs indicating that the import request is done. To revert the imports (ie delete all imported comments): https://example.com/wp-admin/admin.php?r=import%2Fhypercomments&revert;=1 https://www.youtube.com/watch?v=75BH2m8cmPo