CSRF vulnerability in allows malicious users to make fake posts. Affected URL: /wp-comments-post.php
Warning: Incorrectly following these instructions could cause damage to your site. Always back up your files and database before attempting a manual fix. If you are not comfortable editing code, we can automatically fix the vulnerability for you! Simply use the ”Automatic Fix” button on your dashboard.
CSRF vulnerability is possible to execute, because WordPress comment system does not check the source.
Please back up your website before making this change, as we cannot be responsible for problems that occur during this manual fix.
- Login to your WordPress FTP
- Go to WordPress root directory
- Backup the wp-comments-post.php file
- Edit the wp-comments-post.php file
- Find the line, that begins with “/** Sets up the WordPress Environment. */”
- Prepend that line with the next code:
if ( ! isset( $_SERVER[ "HTTP_REFERER" ] ) ) die(); $referrer_url = $_SERVER[ "HTTP_REFERER" ]; $server_name = str_replace( "." , "\." , $_SERVER[ "HTTP_HOST" ] ); /*Escape the dots for following regexp search */ $server_name = str_replace( '/' , '\/' , $server_name ); /*Escape the '/' for following regexp search */ $referr_pattern = "/^((http(s)?):\/\/)?(www.)?$server_name/"; if ( ! preg_match( $referr_pattern, $referrer_url ) ) die();