> "WordPress performs no CSRF [Cross-Site Request Forgery] validation when a user posts a new comment. This is because some WordPress features such as trackbacks and pingbacks would break if there was any validation"
Um, Trackbacks and Pingbacks have been broken for over 10 years, ever since script kiddies figured out it was an easy way to Spam and DDOS.
Anyone that admins a Wordpress site that has TB/PB enabled shouldn't own a computer let alone admin a Wordpress install.