Security researcher Simon Scannell from RIPS Technologies, has discovered a new CSRF vulnerability in WordPress that could potentially lead to remote code execution attacks. The flaw is a cross-site request forgery (CSRF) that resides in the comment section of WordPress that is enabled by default, the issue affects all versions prior to version 5.1.1. WordPress is used by over 33% of all websites, the vulnerability potentially affected millions of sites. WordPress development team attempted to mitigate the issue but did not enable CSRF protection.”]
Source: https://securityaffairs.co/wordpress/82382/hacking/wordpress-csrf-hack.html