Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated network injection (AV:N/PR:N), but payload execution needs a victim to view the comment page, so UI:R; script runs in the browser context so S:C with Low C/I and no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Comments - wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor() function, which interpolates the stored comment_author_url value directly into single-quoted HTML attributes without applying esc_url() or esc_attr(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in the Comments - wpDiscuz WordPress plugin (versions up to and including 7.6.56) allows unauthenticated guest commenters to persist malicious script by injecting into the 'Website' field, which is later rendered unescaped by getCommentAuthor(). The stored comment_author_url is interpolated directly into single-quoted HTML attributes without esc_url() or esc_attr(), so any visitor viewing an affected comment thread executes the attacker's payload in their browser session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the wpDiscuz comment form expose the guest commenter 'Website' field (the default for guest/anonymous commenting) and that guest comments are published without a manual moderation gate; the attacker needs no account (PR:N) and no special platform. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N); the elevated score is driven primarily by the changed scope (S:C) reflecting that injected script runs in the victim's browser security context rather than the plugin's, combined with no privilege or user-interaction requirement to plant the payload. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker submits a guest comment on any post with wpDiscuz enabled, placing a breakout payload such as a single-quote followed by an event-handler attribute into the 'Website' field. The plugin stores the value and renders it unescaped on the comment thread, so when any visitor - or an administrator reviewing comments in wp-admin - loads the page, the script executes in their browser, enabling session/cookie theft, admin-session hijacking, or drive-by redirection. … |
| Remediation | Vendor-released patch: update the Comments - wpDiscuz plugin to version 7.6.57 or later, which corrects the output escaping in getCommentAuthor() as shown in the trac changeset (https://plugins.trac.wordpress.org/changeset/3563675/wpdiscuz/trunk/utils/class.WpdiscuzHelper.php). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all WordPress installations using wpDiscuz and confirm current plugin version. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41514
GHSA-mh45-hp98-pch7