Skip to main content

Wpdiscuz

30 CVEs product

Monthly

CVE-2026-22216 MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notific...

PHP Information Disclosure Wpdiscuz
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22215 MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains a cross-site request forgery (CSRF) vulnerability in the getFollowsPage() function that allows unauthenticated attackers to trigger unauthorized actions on behalf of legitimate users without valid nonce validation. An attacker can exploit this by crafting malicious requests to enumerate user follow relationships and manipulate follow data, potentially exposing private social graph information and allowing unauthorized modifications to user follow lists. While the CVSS score of 4.3 indicates low to moderate severity with limited direct impact, the vulnerability requires user interaction (UI:R) but has network-accessible attack surface with no authentication requirement, making it practically exploitable in targeted phishing campaigns.

CSRF Wpdiscuz
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22210 MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains a stored cross-site scripting (XSS) vulnerability in the WpdiscuzHelperUpload class that fails to properly escape attachment URLs when rendering HTML output. Attackers with limited privileges (contributor level or higher) can inject malicious JavaScript through crafted attachment records or WordPress filter hooks, which executes in the browsers of any WordPress user viewing the affected comments. This vulnerability requires user interaction (victim must view the comment) and has moderate real-world impact due to the authentication requirement and user interaction factor, though successful exploitation could lead to session hijacking or credential theft from comment viewers.

XSS WordPress Wpdiscuz
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-22209 MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execute arbitrary JavaScript in user browsers.

XSS Wpdiscuz
NVD VulDB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-22204 LOW PATCH Monitor

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie.

Code Injection Wpdiscuz
NVD VulDB
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-22203 MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains an information disclosure vulnerability where the plugin's JSON export functionality inadvertently exposes OAuth secrets and social login credentials in plaintext. Administrators performing routine plugin option exports or backups unknowingly create files containing sensitive API secrets (Facebook App Secret, Google Client Secret, Twitter App Secret, and others) that can be discovered by attackers in support tickets, backup repositories, or version control systems. An attacker with network access can obtain these exported files to compromise social login integrations and gain unauthorized access to connected third-party services.

Information Disclosure Wpdiscuz
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-22202 HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection.

CSRF Wpdiscuz
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22201 MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows unauthenticated attackers to spoof their IP address by manipulating HTTP headers (HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR). This enables circumvention of IP-based rate limiting and ban enforcement mechanisms, allowing attackers to bypass security controls that rely on IP-based detection. The vulnerability has a CVSS score of 5.3 with low attack complexity and no authentication required, making it easily exploitable in network environments.

Authentication Bypass Wpdiscuz
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22199 HIGH PATCH This Week

wpDiscuz before version 7.6.47 contains a vote manipulation vulnerability that allows unauthenticated attackers to artificially inflate or deflate comment votes through nonce bypass and rate limit evasion techniques. Attackers can obtain fresh nonces from the unauthenticated wpdGetNonce endpoint, rotate User-Agent headers to reset rate limits, and manipulate votes using IP rotation or reverse proxy header injection. While the CVSS score is moderate at 5.3, the vulnerability has low attack complexity and requires no privileges or user interaction, making it readily exploitable in practice.

Authentication Bypass Wpdiscuz
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-22193 HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information.

SQLi Wpdiscuz
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22192 HIGH PATCH This Week

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in the customCss parameter that execute on every page when rendered through the options handler withou...

XSS Wpdiscuz
NVD VulDB GitHub
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-22191 MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like [contact-form-7] or [user_meta] in comments, which are executed server-side when the WpdiscuzHelperEmail class processes notifications through do_shortcode() before wp_mai...

Code Injection RCE Wpdiscuz
NVD VulDB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-22183 MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function...

PHP XSS Wpdiscuz
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-22182 HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authent...

PHP Authentication Bypass Denial Of Service Wpdiscuz
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-9488 CRITICAL PATCH Act Now

The Comments - wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass WordPress Wpdiscuz
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-6704 MEDIUM PATCH This Month

The Comments - wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 7.6.21. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Wpdiscuz
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-35681 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in gVectors Team wpDiscuz allows Stored XSS.6.18. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wpdiscuz
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-2477 MEDIUM PATCH This Month

The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Wpdiscuz
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2023-51691 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments - wpDiscuz allows Stored XSS.6.12. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wpdiscuz
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2023-46311 LOW Monitor

Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments - wpDiscuz.6.3. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Wpdiscuz
NVD
CVSS 3.1
2.7
EPSS
0.1%
CVE-2023-47775 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments - wpDiscuz plugin <= 7.6.11 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Wpdiscuz
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2023-47185 HIGH This Week

Unauth. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wpdiscuz
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2023-3998 MEDIUM This Month

The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function in versions up to, and including, 7.6.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Wpdiscuz
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2023-3869 MEDIUM This Month

The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Wpdiscuz
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2022-43492 HIGH This Week

Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Wpdiscuz
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-23984 HIGH This Week

Sensitive information disclosure discovered in wpDiscuz WordPress plugin (versions <= 7.3.11). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Wpdiscuz
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-24806 MEDIUM POC This Month

The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Wpdiscuz
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-24737 MEDIUM POC This Month

The Comments - wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wpdiscuz
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2020-24186 CRITICAL POC THREAT Emergency

A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress RCE PHP Wpdiscuz
NVD Exploit-DB
CVSS 3.1
10.0
EPSS
94.5%
CVE-2020-13640 CRITICAL POC PATCH THREAT Act Now

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress SQLi Wpdiscuz
NVD
CVSS 3.1
9.8
EPSS
12.7%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notific...

PHP Information Disclosure Wpdiscuz
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains a cross-site request forgery (CSRF) vulnerability in the getFollowsPage() function that allows unauthenticated attackers to trigger unauthorized actions on behalf of legitimate users without valid nonce validation. An attacker can exploit this by crafting malicious requests to enumerate user follow relationships and manipulate follow data, potentially exposing private social graph information and allowing unauthorized modifications to user follow lists. While the CVSS score of 4.3 indicates low to moderate severity with limited direct impact, the vulnerability requires user interaction (UI:R) but has network-accessible attack surface with no authentication requirement, making it practically exploitable in targeted phishing campaigns.

CSRF Wpdiscuz
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains a stored cross-site scripting (XSS) vulnerability in the WpdiscuzHelperUpload class that fails to properly escape attachment URLs when rendering HTML output. Attackers with limited privileges (contributor level or higher) can inject malicious JavaScript through crafted attachment records or WordPress filter hooks, which executes in the browsers of any WordPress user viewing the affected comments. This vulnerability requires user interaction (victim must view the comment) and has moderate real-world impact due to the authentication requirement and user interaction factor, though successful exploitation could lead to session hijacking or credential theft from comment viewers.

XSS WordPress Wpdiscuz
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execute arbitrary JavaScript in user browsers.

XSS Wpdiscuz
NVD VulDB GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie.

Code Injection Wpdiscuz
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains an information disclosure vulnerability where the plugin's JSON export functionality inadvertently exposes OAuth secrets and social login credentials in plaintext. Administrators performing routine plugin option exports or backups unknowingly create files containing sensitive API secrets (Facebook App Secret, Google Client Secret, Twitter App Secret, and others) that can be discovered by attackers in support tickets, backup repositories, or version control systems. An attacker with network access can obtain these exported files to compromise social login integrations and gain unauthorized access to connected third-party services.

Information Disclosure Wpdiscuz
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection.

CSRF Wpdiscuz
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows unauthenticated attackers to spoof their IP address by manipulating HTTP headers (HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR). This enables circumvention of IP-based rate limiting and ban enforcement mechanisms, allowing attackers to bypass security controls that rely on IP-based detection. The vulnerability has a CVSS score of 5.3 with low attack complexity and no authentication required, making it easily exploitable in network environments.

Authentication Bypass Wpdiscuz
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

wpDiscuz before version 7.6.47 contains a vote manipulation vulnerability that allows unauthenticated attackers to artificially inflate or deflate comment votes through nonce bypass and rate limit evasion techniques. Attackers can obtain fresh nonces from the unauthenticated wpdGetNonce endpoint, rotate User-Agent headers to reset rate limits, and manipulate votes using IP rotation or reverse proxy header injection. While the CVSS score is moderate at 5.3, the vulnerability has low attack complexity and requires no privileges or user interaction, making it readily exploitable in practice.

Authentication Bypass Wpdiscuz
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information.

SQLi Wpdiscuz
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in the customCss parameter that execute on every page when rendered through the options handler withou...

XSS Wpdiscuz
NVD VulDB GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like [contact-form-7] or [user_meta] in comments, which are executed server-side when the WpdiscuzHelperEmail class processes notifications through do_shortcode() before wp_mai...

Code Injection RCE Wpdiscuz
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function...

PHP XSS Wpdiscuz
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authent...

PHP Authentication Bypass Denial Of Service +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The Comments - wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass WordPress Wpdiscuz
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The Comments - wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 7.6.21. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Wpdiscuz
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in gVectors Team wpDiscuz allows Stored XSS.6.18. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wpdiscuz
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Wpdiscuz
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments - wpDiscuz allows Stored XSS.6.12. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wpdiscuz
NVD
EPSS 0% CVSS 2.7
LOW Monitor

Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments - wpDiscuz.6.3. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Wpdiscuz
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments - wpDiscuz plugin <= 7.6.11 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Wpdiscuz
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Unauth. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Wpdiscuz
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function in versions up to, and including, 7.6.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Wpdiscuz
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Wpdiscuz
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Wpdiscuz
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Sensitive information disclosure discovered in wpDiscuz WordPress plugin (versions <= 7.3.11). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Wpdiscuz
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Wpdiscuz
NVD WPScan
EPSS 1% CVSS 4.8
MEDIUM POC This Month

The Comments - wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wpdiscuz
NVD WPScan
EPSS 95% CVSS 10.0
CRITICAL POC THREAT Emergency

A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress RCE +2
NVD Exploit-DB
EPSS 13% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress SQLi Wpdiscuz
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy