Skip to main content

Comments Wpdiscuz

1 CVEs product

Monthly

CVE-2026-9148 HIGH This Week

Stored cross-site scripting in the Comments - wpDiscuz WordPress plugin (versions up to and including 7.6.56) allows unauthenticated guest commenters to persist malicious script by injecting into the 'Website' field, which is later rendered unescaped by getCommentAuthor(). The stored comment_author_url is interpolated directly into single-quoted HTML attributes without esc_url() or esc_attr(), so any visitor viewing an affected comment thread executes the attacker's payload in their browser session. No public exploit identified at time of analysis, but exploitation requires no authentication and the source-level root cause is documented in the WordPress plugin trac.

WordPress XSS Comments Wpdiscuz
NVD
CVSS 3.1
7.2
EPSS
0.3%
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Comments - wpDiscuz WordPress plugin (versions up to and including 7.6.56) allows unauthenticated guest commenters to persist malicious script by injecting into the 'Website' field, which is later rendered unescaped by getCommentAuthor(). The stored comment_author_url is interpolated directly into single-quoted HTML attributes without esc_url() or esc_attr(), so any visitor viewing an affected comment thread executes the attacker's payload in their browser session. No public exploit identified at time of analysis, but exploitation requires no authentication and the source-level root cause is documented in the WordPress plugin trac.

WordPress XSS Comments Wpdiscuz
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy