354 matches found
wpDiscuz <= 5.3.5 - SQL Injection
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. id: CVE-2020-13640 info: name: wpDiscuz = 5.3.5 - SQL Injection author: Sourabh-Sahu severity:...
WordPress Comments – wpDiscuz plugin <= 7.6.56 - Unauthenticated Stored Cross-Site Scripting vulnerability
Unauthenticated Stored Cross-Site Scripting vulnerability discovered by mickeyjoe in WordPress Plugin wpDiscuz versions = 7.6.56...
CVE-2026-9148
The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor function, which interpolates the stored commentauthorurl...
CVE-2026-9148 Comments <= 7.6.56 - Unauthenticated Stored Cross-Site Scripting via 'Website' Field
The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor function, which interpolates the stored commentauthorurl...
CVE-2026-9148
The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor function, which interpolates the stored commentauthorurl...
EUVD-2026-41514
The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor function, which interpolates the stored commentauthorurl...
CVE-2026-9148
The Comments – wpDiscuz plugin for WordPress (affected: versions up to 7.6.56) is vulnerable to Stored XSS via the guest commenter field Website. The root cause is insufficient output escaping in getCommentAuthor(), which interpolates the stored comment_author_url directly into single-quoted HTML...
WordPress wpDiscuz <=7.0.4 - Remote Code Execution
WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server. id: CVE-2020-24186 info: nam...
CVE-2026-22210
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary...
CVE-2026-22216
wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard...
CVE-2026-22215
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by...
CVE-2026-22201
wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTPCLIENTIP or HTTPXFORWARDEDFOR headers to spoof their IP address and circumvent...
CVE-2026-22199
Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability in the upload.cgi endpoint that allows unauthenticated attackers to read arbitrary files on the device filesystem by supplying directory traversal sequences in the params parameter. Attackers can...
CVE-2026-22183
wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfilteredhtml capabilities can inject JavaScript...
CVE-2026-22202
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to...
CVE-2026-22191
Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by...
CVE-2026-22192
Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access...
CVE-2026-22193
wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activationkey, subscriptiondate, and importedfrom parameters to manipulate...
CVE-2026-22182
wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and commentid...
WordPress Plugin wpDiscuz Information Disclosure Vulnerability
WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. An information disclosure vulnerability exists in the WordPress plugin wpDiscuz, which stems fr...