Skip to main content

wpDiscuz EUVDEUVD-2026-41514

| CVE-2026-9148 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-03 Wordfence GHSA-mh45-hp98-pch7
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Unauthenticated network injection (AV:N/PR:N), but payload execution needs a victim to view the comment page, so UI:R; script runs in the browser context so S:C with Low C/I and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 08:20 vuln.today
CVE Published
Jul 03, 2026 - 06:50 cve.org
HIGH 7.2

DescriptionCVE.org

The Comments - wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor() function, which interpolates the stored comment_author_url value directly into single-quoted HTML attributes without applying esc_url() or esc_attr(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in the Comments - wpDiscuz WordPress plugin (versions up to and including 7.6.56) allows unauthenticated guest commenters to persist malicious script by injecting into the 'Website' field, which is later rendered unescaped by getCommentAuthor(). The stored comment_author_url is interpolated directly into single-quoted HTML attributes without esc_url() or esc_attr(), so any visitor viewing an affected comment thread executes the attacker's payload in their browser session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Load post with wpDiscuz comment form
Delivery
Submit guest comment with payload in Website field
Exploit
Server stores unescaped comment_author_url
Install
Victim/admin views comment thread
C2
getCommentAuthor() renders script into DOM
Execute
Execute script in victim browser context
Impact
Hijack session or redirect victim

Vulnerability AssessmentAI

Exploitation Exploitation requires that the wpDiscuz comment form expose the guest commenter 'Website' field (the default for guest/anonymous commenting) and that guest comments are published without a manual moderation gate; the attacker needs no account (PR:N) and no special platform. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N); the elevated score is driven primarily by the changed scope (S:C) reflecting that injected script runs in the victim's browser security context rather than the plugin's, combined with no privilege or user-interaction requirement to plant the payload. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a guest comment on any post with wpDiscuz enabled, placing a breakout payload such as a single-quote followed by an event-handler attribute into the 'Website' field. The plugin stores the value and renders it unescaped on the comment thread, so when any visitor - or an administrator reviewing comments in wp-admin - loads the page, the script executes in their browser, enabling session/cookie theft, admin-session hijacking, or drive-by redirection. …
Remediation Vendor-released patch: update the Comments - wpDiscuz plugin to version 7.6.57 or later, which corrects the output escaping in getCommentAuthor() as shown in the trac changeset (https://plugins.trac.wordpress.org/changeset/3563675/wpdiscuz/trunk/utils/class.WpdiscuzHelper.php). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all WordPress installations using wpDiscuz and confirm current plugin version. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41514 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy