Wordfence Intelligence Weekly WordPress Vulnerability Report (June 3, 2024 to June 9, 2024)
_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? __Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...
10CVSS
9.9AI Score
EPSS
Comments – wpDiscuz < 7.6.19 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.6.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
6.5CVSS
5.8AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in gVectors Team wpDiscuz allows Stored XSS.This issue affects wpDiscuz: from n/a through...
6.5CVSS
0.0004EPSS
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in gVectors Team wpDiscuz allows Stored XSS.This issue affects wpDiscuz: from n/a through...
6.5CVSS
6.5AI Score
0.0004EPSS
CVE-2024-35681 WordPress wpDiscuz plugin <= 7.6.18 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in gVectors Team wpDiscuz allows Stored XSS.This issue affects wpDiscuz: from n/a through...
6.5CVSS
6.8AI Score
0.0004EPSS
CVE-2024-35681 WordPress wpDiscuz plugin <= 7.6.18 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in gVectors Team wpDiscuz allows Stored XSS.This issue affects wpDiscuz: from n/a through...
6.5CVSS
0.0004EPSS
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through...
5.3CVSS
5.4AI Score
0.0004EPSS
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through...
5.3CVSS
7.1AI Score
0.0004EPSS
CVE-2023-46310 WordPress wpDiscuz plugin <= 7.6.10 - Content Injection vulnerability
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through...
5.3CVSS
5.4AI Score
0.0004EPSS
CVE-2023-46310 WordPress wpDiscuz plugin <= 7.6.10 - Content Injection vulnerability
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through...
5.3CVSS
6.9AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 304 vulnerabilities disclosed in 232...
9.1AI Score
EPSS
The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
6.4CVSS
5.7AI Score
0.0004EPSS
The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
6.4CVSS
5.7AI Score
0.0004EPSS
The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
6.4CVSS
5.8AI Score
0.0004EPSS
The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
6.4CVSS
5.8AI Score
0.0004EPSS
Description The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
6.4CVSS
5.9AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through...
5.9CVSS
5.1AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through...
4.8CVSS
5.7AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through...
4.8CVSS
6.9AI Score
0.0004EPSS
CVE-2023-51691 WordPress wpDiscuz Plugin <= 7.6.12 is vulnerable to Cross Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through...
5.9CVSS
6.7AI Score
0.0004EPSS
CVE-2023-51691 WordPress wpDiscuz Plugin <= 7.6.12 is vulnerable to Cross Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through...
5.9CVSS
5.9AI Score
0.0004EPSS
wpDiscuz < 7.6.13 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
4.8CVSS
5.9AI Score
0.0004EPSS
Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through...
6.5CVSS
0.001EPSS
Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through...
6.5CVSS
6.4AI Score
0.001EPSS
Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through...
6.5CVSS
7.2AI Score
0.001EPSS
Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through...
2.7CVSS
6.7AI Score
0.001EPSS
wpDiscuz < 7.6.12 - Cross-Site Request Forgery
Description The wpDiscuz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.6.11. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to dismiss admin notices via a...
8.8CVSS
6.4AI Score
0.001EPSS
wpDiscuz < 7.6.6 - Unauthenticated SQL Injection
Description The wpDiscuz plugin for WordPress is vulnerable to SQL Injection via the 'visibleCommentIds' parameter in versions up to, and including, 7.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
7.8AI Score
Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence...
9.8CVSS
9AI Score
EPSS
Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11...
8.8CVSS
8.8AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11...
8.8CVSS
0.001EPSS
Cross site request forgery (csrf)
Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11...
8.8CVSS
7.3AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11...
4.3CVSS
9AI Score
0.001EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 30, 2023 to November 5, 2023)
Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 79 vulnerabilities disclosed in 64 WordPress Plugins and no WordPress themes that have been added to the Wordfence...
9.8CVSS
10AI Score
EPSS
6.1CVSS
7AI Score
0.0005EPSS
wpDiscuz < 7.6.12 - Missing Authorization in AJAX Actions
Description The plugin is vulnerable to unauthorized use of functionality due to a missing capability check on functions corresponding to AJAX actions in versions up to, and including, 7.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to view user...
6.1AI Score
EPSS
wpDiscuz < 7.6.11 - Unauthenticated Content Injection
Description The plugin is vulnerable to Arbitrary Content Injection, making it possible for unauthenticated attackers to inject new content onto the website, possibly through the manipulation of posts to create new web pages, spam, or...
7.1AI Score
0.0004EPSS
wpDiscuz < 7.6.6 - Unauthenticated SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated...
8AI Score
wpDiscuz < 7.6.4 - Author+ IDOR
Description The plugin is vulnerable to unauthorized modification of data due to a missing authorization check on a...
6.5CVSS
6.3AI Score
0.001EPSS
wpDiscuz < 7.6.11 - Insufficient Authorization to Comment Submission on Deleted Posts
Description The plugin is vulnerable to unauthorized modification of data due to insufficient validation on the comment functionality, making it possible for unauthenticated attackers to leave comments on trashed...
6.9AI Score
EPSS
wpDiscuz < 7.6.12 - Unauthenticated Stored XSS
Description The plugin does not validate and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting...
6.1CVSS
5.8AI Score
0.0005EPSS
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11...
6.1CVSS
5.7AI Score
0.0005EPSS
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11...
6.1CVSS
5.8AI Score
0.0005EPSS
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11...
6.1CVSS
5.8AI Score
0.0005EPSS
CVE-2023-47185 WordPress wpDiscuz Plugin <= 7.6.11 is vulnerable to Cross Site Scripting (XSS)
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11...
5.9AI Score
0.0005EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023)
Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....
9.8CVSS
7.4AI Score
EPSS
5.3CVSS
6.9AI Score
0.001EPSS
The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a...
5.3CVSS
5.5AI Score
0.001EPSS
The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a...
5.3CVSS
5.5AI Score
0.001EPSS
The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a...
5.3CVSS
5.1AI Score
0.001EPSS