Comments – Wpdiscuz Security Vulnerabilities

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 3, 2024 to June 9, 2024)

_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? __Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...

Comments – wpDiscuz < 7.6.19 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.6.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

CVE-2024-35681

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in gVectors Team wpDiscuz allows Stored XSS.This issue affects wpDiscuz: from n/a through...

CVE-2024-35681

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in gVectors Team wpDiscuz allows Stored XSS.This issue affects wpDiscuz: from n/a through...

CVE-2024-35681 WordPress wpDiscuz plugin <= 7.6.18 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in gVectors Team wpDiscuz allows Stored XSS.This issue affects wpDiscuz: from n/a through...

CVE-2024-35681 WordPress wpDiscuz plugin <= 7.6.18 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in gVectors Team wpDiscuz allows Stored XSS.This issue affects wpDiscuz: from n/a through...

CVE-2023-46310

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through...

CVE-2023-46310

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through...

CVE-2023-46310 WordPress wpDiscuz plugin <= 7.6.10 - Content Injection vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through...

CVE-2023-46310 WordPress wpDiscuz plugin <= 7.6.10 - Content Injection vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through...

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024)

Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 304 vulnerabilities disclosed in 232...

CVE-2024-2477

The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-2477

The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-2477

The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-2477

The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

wpDiscuz < 7.6.16 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Alternative Text

Description The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2023-51691

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through...

CVE-2023-51691

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through...

Cross site scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through...

CVE-2023-51691 WordPress wpDiscuz Plugin <= 7.6.12 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through...

CVE-2023-51691 WordPress wpDiscuz Plugin <= 7.6.12 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through...

wpDiscuz < 7.6.13 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

CVE-2023-46311

Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through...

CVE-2023-46311

Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through...

Authorization

Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through...

CVE-2023-46311 WordPress wpDiscuz Plugin <= 7.6.3 is vulnerable to Insecure Direct Object References (IDOR)

Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through...

wpDiscuz < 7.6.12 - Cross-Site Request Forgery

Description The wpDiscuz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.6.11. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to dismiss admin notices via a...

wpDiscuz < 7.6.6 - Unauthenticated SQL Injection

Description The wpDiscuz plugin for WordPress is vulnerable to SQL Injection via the 'visibleCommentIds' parameter in versions up to, and including, 7.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence...

CVE-2023-47775

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments — wpDiscuz plugin &lt;= 7.6.11...

CVE-2023-47775

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments — wpDiscuz plugin &lt;= 7.6.11...

Cross site request forgery (csrf)

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments — wpDiscuz plugin &lt;= 7.6.11...

CVE-2023-47775 WordPress wpDiscuz Plugin <= 7.6.11 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments — wpDiscuz plugin &lt;= 7.6.11...

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 30, 2023 to November 5, 2023)

Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 79 vulnerabilities disclosed in 64 WordPress Plugins and no WordPress themes that have been added to the Wordfence...

WordPress wpDiscuz Plugin < 7.6.12 XSS Vulnerability

The WordPress...

wpDiscuz < 7.6.12 - Missing Authorization in AJAX Actions

Description The plugin is vulnerable to unauthorized use of functionality due to a missing capability check on functions corresponding to AJAX actions in versions up to, and including, 7.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to view user...

wpDiscuz < 7.6.11 - Unauthenticated Content Injection

Description The plugin is vulnerable to Arbitrary Content Injection, making it possible for unauthenticated attackers to inject new content onto the website, possibly through the manipulation of posts to create new web pages, spam, or...

wpDiscuz < 7.6.6 - Unauthenticated SQL Injection

Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated...

wpDiscuz < 7.6.4 - Author+ IDOR

Description The plugin is vulnerable to unauthorized modification of data due to a missing authorization check on a...

wpDiscuz < 7.6.11 - Insufficient Authorization to Comment Submission on Deleted Posts

Description The plugin is vulnerable to unauthorized modification of data due to insufficient validation on the comment functionality, making it possible for unauthenticated attackers to leave comments on trashed...

wpDiscuz < 7.6.12 - Unauthenticated Stored XSS

Description The plugin does not validate and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting...

CVE-2023-47185

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin &lt;= 7.6.11...

CVE-2023-47185

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin &lt;= 7.6.11...

Cross site scripting

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin &lt;= 7.6.11...

CVE-2023-47185 WordPress wpDiscuz Plugin <= 7.6.11 is vulnerable to Cross Site Scripting (XSS)

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin &lt;= 7.6.11...

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023)

Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....

WordPress wpDiscuz Plugin < 7.6.4 Multiple IDOR Vulnerabilities

The WordPress...

CVE-2023-3998

The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a...

CVE-2023-3869

The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a...

CVE-2023-3869

The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a...