Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-17
CVE-2026-22210 - Wpdiscuz Plugin
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.
PLUGIN
Wpdiscuz
CVE-2026-22210
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-9488 - Wpdiscuz Plugin
The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Wpdiscuz
CVE-2024-9488
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-6704 - Wpdiscuz Plugin
The Comments – wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 7.6.21. This is due to a lack of filtering of HTML tags in comments. This makes it possible for unauthenticated attackers to add HTML such as hyperlinks to comments when rich editing is disabled.
PLUGIN
Wpdiscuz
CVE-2024-6704
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-2477 - Wpdiscuz Plugin
The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpdiscuz
CVE-2024-2477
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3998 - Wpdiscuz Plugin
The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a post.
PLUGIN
Wpdiscuz
CVE-2023-3998
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3869 - Wpdiscuz Plugin
The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a comment.
PLUGIN
Wpdiscuz
CVE-2023-3869
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-23984 - Wpdiscuz Plugin
Sensitive information disclosure discovered in wpDiscuz WordPress plugin (versions
PLUGIN
Wpdiscuz
CVE-2022-23984
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24806 - Wpdiscuz Plugin
The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment.
PLUGIN
Wpdiscuz
CVE-2021-24806
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24737 - Wpdiscuz Plugin
The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Wpdiscuz
CVE-2021-24737
Risk Score