33 matches found
CVE-2026-22182
Summary of CVE-2026-22182 : The wpDiscuz plugin is affected by an unauthenticated denial-of-service vulnerability in versions prior to 7.6.47. An anonymous attacker can trigger mass notification emails by abusing checkNotificationType() through repeated calls to wpdiscuz-ajax.php, using arbitrary...
CVE-2020-24186
CVE-2020-24186 affects the WordPress wpDiscuz plugin (versions 7.0.0 through 7.0.4). The flaw allows unauthenticated attackers to upload arbitrary files via the wmuUploadFiles AJAX action, enabling remote code execution (RCE) by uploading PHP content. Public exploits and PoCs in the connected doc...
CVE-2022-23984
CVE-2022-23984 affects the WordPress wpDiscuz plugin (versions ≤ 7.3.11) with a sensitive information disclosure vulnerability. Root cause and exact exploit path are not detailed in the provided documents, but remediation is to update to the latest available version, at least 7.3.12 (as noted by ...
CVE-2024-2477
CVE-2024-2477 affecting wpDiscuz for WordPress: Stored XSS via the image Alt text in image uploads exists in all versions up to 7.6.15 due to insufficient input sanitization/output escaping. The Red Hat advisory and Wordfence note describe the vulnerability as present in wpDiscuz and detail that ...
CVE-2023-47775
CVE-2023-47775 : Cross-Site Request Forgery in the WordPress plugin wpDiscuz (gVectors Team Comments) affects versions
CVE-2024-9488
CVE-2024-9488 concerns the WordPress plugin Comments – wpDiscuz (versions ≤ 7.6.24). The flaw is an authentication bypass caused by insufficient verification of the user returned by the social login token, enabling unauthenticated attackers to log in as any existing user (including administrators...
CVE-2023-3998
CVE-2023-3998 affects the WordPress wpDiscuz plugin. The vulnerability is an unauthorized data modification flaw due to a missing authorization check in the helper workflow (function: userRate), impacting versions up to and including 7.6.3. An unauthenticated attacker can increase or decrease a p...
CVE-2023-45760
CVE-2023-45760: wpDiscuz
CVE-2020-13640
The CVE-2020-13640 issue affects the WordPress plugin wpDiscuz (gVectors) versions up to 5.3.5. The vulnerability is a SQL injection in the wpdLoadMoreComments request, exploitable via the order parameter, enabling an attacker to execute arbitrary SQL commands. Impact is unauthenticated remote ex...
CVE-2023-46309
CVE-2023-46309 affects WordPress plugin wpDiscuz prior to version 7.6.11, where a Missing Authorization flaw in access control allows unauthenticated users to perform restricted actions due to broken access control. Publicly known details indicate the affected range is wpDiscuz
CVE-2023-46311
CVE-2023-46311 refers to the WordPress plugin wpDiscuz (Comments)
CVE-2022-43492
CVE-2022-43492 affects WordPress with the wpDiscuz plugin at version 7.4.2. It is an Insecure Direct Object References (IDOR) in the Comments feature. The NVD entry lists CVSS v3.1 base metrics: 8.8 (High) with NEURAL: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H; PatchStack cites a lower impact vector. R...
CVE-2023-3869
CVE-2023-3869 affects the WordPress wpDiscuz plugin (versions up to and including 7.6.3). The issue is an unauthorized modification of data due to a missing authorization check in the voteOnComment function, enabling unauthenticated attackers to increase or decrease a comment’s rating (IDOR-like ...
CVE-2021-24737
CVE-2021-24737 affects the WordPress wpDiscuz plugin up to v7.3.0. It fails to sanitize/escape Follow and Unfollow messages, enabling Stored XSS by high-privilege users even when unfiltered_html is disallowed. Exploitation vectors are via output on pages and documented PoCs exist in multiple sour...
CVE-2023-47185
CVE-2023-47185: Unauth. stored XSS in the WordPress wpDiscuz plugin (gVectors Team Comments) affects versions
CVE-2024-35681
CVE-2024-35681 pertains to wpDiscuz (gVectors Team) and is a Stored XSS vulnerability described as Improper Neutralization of Input During Web Page Generation. Affected: wpDiscuz versions from n/a through 7.6.18. The vulnerability type is Cross-site Scripting with Stored payloads; exploitation co...
CVE-2023-46310
CVE-2023-46310 describes a Content Injection vulnerability in the WordPress plugin wpDiscuz (gVectors Team) affecting versions up to 7.6.10. The issue is due to improper neutralization of script-related HTML tags, enabling code injection via wpDiscuz content. Public sources in the connected docum...
CVE-2021-24806
CVE-2021-24806 documents a CSRF vulnerability in the WordPress plugin wpDiscuz, affecting versions before 7.3.4. The flaw is a CSRF check failure for adding, editing, and deleting comments, enabling an attacker to cause logged-in users (including admins or the comment author) to edit/delete arbit...
CVE-2023-51691
CVE-2023-51691 concerns the WordPress plugin wpDiscuz, where versions n/a through 7.6.12 are affected by a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. The root cause is input not being properly sanitized, enabling an attacker...
CVE-2024-6704
The CVE-2024-6704 entry applies to the WordPress plugin Comments – wpDiscuz. Affected versions are
CVE-2026-22191
Beghelli Sicuro24 SicuroWeb is affected by an AngularJS 1.5.2-based template injection chain that can lead to arbitrary JavaScript execution in operator browser sessions. The root cause is improper handling of untrusted input in AngularJS template contexts, combined with an end-of-life AngularJS ...
CVE-2026-22193
wpDiscuz plugin (before version 7.6.47) contains an SQL injection in getAllSubscriptions caused by improper quote escaping for parameters email, activation_key, subscription_date, and imported_from. This allows altering queries and potentially exfiltrating sensitive data. CVSS metrics indicate hi...
CVE-2026-22199
Technical details for CVE-2026-22199 are not publicly available in the provided connected documents. Monitor for updates from the vendor and CVE feeds.
CVE-2026-22201
wpDiscuz before 7.6.47 is affected by an IP spoofing vulnerability in the getIP() function. By trusting untrusted HTTP headers (HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR), an attacker can spoof their IP address and bypass IP-based rate limiting and ban enforcement. The CVE entry specifies the issue ...
CVE-2026-22209
The CVE concerns wpDiscuz before 7.6.47, where a cross-site scripting (XSS) flaw exists in the customCss field. The underlying issue allows an administrator to break out of style tags and inject scripts (for example, ), enabling arbitrary JavaScript execution in the browsers of users. The vulnera...
CVE-2026-22183
CVE-2026-22183 affects the WordPress wpDiscuz plugin prior to 7.6.47. The stored XSS occurs in the inline comment preview, where comment content rendered in the AJAX response from getLastInlineComments() in class.WpdiscuzHelperAjax.php is not properly HTML escaped. Attackers with unfiltered_html ...
CVE-2026-22203
wpDiscuz before 7.6.47 has an information disclosure vulnerability: exporting plugin options as JSON can leak plaintext OAuth secrets (e.g., fbAppSecret, googleClientSecret, twitterAppSecret, and other social-login credentials) via support tickets, backups, or version control repositories. The CV...
CVE-2026-22192
Technical details are not publicly available in the provided documents. Monitor for updates.
CVE-2026-22202
wpDiscuz before 7.6.47 is affected by a cross-site request forgery that lets an attacker delete all comments for a target email by triggering a crafted GET request containing a valid HMAC key. The attacker can embed the deletecomments action URL in image tags or other resources to cause permanent...
CVE-2026-22216
wpDiscuz 7.6.46 and earlier is affected by a missing rate-limiting vulnerability in the wpdAddSubscription handler (class.WpdiscuzHelperAjax.php). Unauthenticated attackers can submit POST requests to subscribe arbitrary email addresses to post notifications, abusing LIKE wildcard matching in the...
CVE-2026-22210
CVE-2026-22210 affects the WordPress plugin wpDiscuz prior to version 7.6.47. The issue is a cross-site scripting (XSS) vulnerability in the WpdiscuzHelperUpload class that allows injecting arbitrary JavaScript into image and anchor tag attributes via unescaped attachment URLs in HTML output. Att...
CVE-2026-22215
wpDiscuz prior to 7.6.47 is affected by a CSRF flaw in getFollowsPage that allows triggering unauthorized actions without nonce validation. The vulnerability enables an attacker to craft requests to enumerate follow relationships and alter user follow data via the follows page handler. Root cause...
CVE-2026-22204
wpDiscuz prior to 7.6.47 has an email header injection due to unsanitized comment_author_email cookie. An attacker can craft a cookie value that, after urldecode() is processed by wp_mail(), injects headers or alters recipients. The exact impact and exploit status are not elaborated beyond the de...