cbcvebase.

Gvectors Wpdiscuz vulnerabilities

33 known vulnerabilities affecting gvectors/wpdiscuz.

Total CVEs
33
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH8MEDIUM22

Vulnerabilities

Page 1 of 2
CVE-2020-13640P1CRITICALCVSS 9.8ExploitedPoC≤ 5.3.52020-06-18
CVE-2020-13640 [CRITICAL] CWE-89 CVE-2020-13640: A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)
nvd
CVE-2020-24186P1CRITICALCVSS 10.0PoC≥ 7.0, ≤ 7.0.42020-08-24
CVE-2020-24186 [CRITICAL] CWE-434 CVE-2020-24186: A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for W A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
nvd
CVE-2024-9488P2CRITICALCVSS 9.8fixed in 7.6.252024-10-25
CVE-2024-9488 [CRITICAL] CWE-288 CVE-2024-9488: The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if t
nvd
CVE-2026-22199P3HIGHCVSS 7.5fixed in 7.6.472026-03-13
CVE-2026-22199 [HIGH] CWE-290 CVE-2026-22199: Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability in the upload.cgi endpoint that allows unauthenticated attackers to read arbitrary files on the device filesystem by supplying directory traversal sequences in the params parameter. Attackers can exploit this vulnerability to disclose sensitive files suc
nvd
CVE-2026-22193P3HIGHCVSS 7.5fixed in 7.6.472026-03-13
CVE-2026-22193 [HIGH] CWE-89 CVE-2026-22193: wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information.
nvd
CVE-2023-45760P3HIGHCVSS 8.8fixed in 7.6.42025-01-02
CVE-2023-45760 [HIGH] CWE-862 CVE-2023-45760: Missing Authorization vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectl Missing Authorization vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through <= 7.6.3.
nvd
CVE-2026-22182P3HIGHCVSS 7.5fixed in 7.6.472026-03-13
CVE-2026-22182 [HIGH] CWE-862 CVE-2026-22182: wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anony wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as t
nvd
CVE-2022-43492P3HIGHCVSS 8.8v7.4.22022-11-18
CVE-2022-43492 [HIGH] CWE-639 CVE-2022-43492: Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz pl Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress.
nvd
CVE-2023-46309P3HIGHCVSS 7.3fixed in 7.6.112025-01-02
CVE-2023-46309 [HIGH] CWE-862 CVE-2023-46309: Missing Authorization vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectl Missing Authorization vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through <= 7.6.10.
nvd
CVE-2022-23984P3HIGHCVSS 7.5≤ 7.3.112022-02-21
CVE-2022-23984 [HIGH] CWE-200 CVE-2022-23984: Sensitive information disclosure discovered in wpDiscuz WordPress plugin (versions <= 7.3.11). Sensitive information disclosure discovered in wpDiscuz WordPress plugin (versions <= 7.3.11).
nvd
CVE-2026-22192P2MEDIUMCVSS 5.4fixed in 7.6.472026-03-13
CVE-2026-22192 [MEDIUM] CWE-79 CVE-2026-22192: Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access controls and gain unauthorized access to protected mana
nvd
CVE-2026-22216P3MEDIUMCVSS 5.3fixed in 7.6.472026-03-13
CVE-2026-22216 [MEDIUM] CWE-799 CVE-2026-22216: wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated at wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple
nvd
CVE-2023-47775P3HIGHCVSS 8.8fixed in 7.6.122023-11-22
CVE-2023-47775 [HIGH] CWE-352 CVE-2023-47775: Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.1 Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11 versions.
nvd
CVE-2023-46311P4MEDIUMCVSS 6.5fixed in 7.6.42023-12-20
CVE-2023-46311 [MEDIUM] CWE-639 CVE-2023-46311: Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz. Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through 7.6.3.
nvd
CVE-2026-22202P4MEDIUMCVSS 6.5fixed in 7.6.472026-03-13
CVE-2026-22202 [MEDIUM] CWE-352 CVE-2026-22202: wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user co
nvd
CVE-2024-6704P4MEDIUMCVSS 6.1fixed in 7.6.222024-08-02
CVE-2024-6704 [MEDIUM] CWE-79 CVE-2024-6704: The Comments – wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to, The Comments – wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 7.6.21. This is due to a lack of filtering of HTML tags in comments. This makes it possible for unauthenticated attackers to add HTML such as hyperlinks to comments when rich editing is disabled.
nvd
CVE-2023-3998P4MEDIUMCVSS 5.3≤ 7.6.32023-10-20
CVE-2023-3998 [MEDIUM] CWE-639 CVE-2023-3998: The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missin The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a post.
nvd
CVE-2023-3869P4MEDIUMCVSS 5.3≤ 7.6.32023-10-20
CVE-2023-3869 [MEDIUM] CWE-639 CVE-2023-3869: The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missin The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a comment.
nvd
CVE-2026-22203P4MEDIUMCVSS 4.9fixed in 7.6.472026-03-13
CVE-2026-22203 [MEDIUM] CWE-200 CVE-2026-22203: wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators t wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tick
nvd
CVE-2026-22204P4MEDIUMCVSS 5.3fixed in 7.6.472026-03-13
CVE-2026-22204 [MEDIUM] CWE-20 CVE-2026-22204: wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to man wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email r
nvd
Gvectors Wpdiscuz vulnerabilities | cvebase