cbcvebase.

Gvectors Wpdiscuz vulnerabilities

33 known vulnerabilities affecting gvectors/wpdiscuz.

Total CVEs
33
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH8MEDIUM22

Vulnerabilities

Page 2 of 2
CVE-2026-22201P4MEDIUMCVSS 5.3fixed in 7.6.472026-03-13
CVE-2026-22201 [MEDIUM] CWE-348 CVE-2026-22201: wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows att wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumvent security controls.
nvd
CVE-2026-22191P4MEDIUMCVSS 5.2fixed in 7.6.472026-03-13
CVE-2026-22191 [MEDIUM] CWE-94 CVE-2026-22191: Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inj Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by the AngularJS 1.5.2 runtime to achieve arbitrary JavaSc
nvd
CVE-2026-22215P4MEDIUMCVSS 5.4fixed in 7.6.472026-03-13
CVE-2026-22215 [MEDIUM] CWE-352 CVE-2026-22215: wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() f wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by exploiting the missing CSRF protection in the follows p
nvd
CVE-2023-46310P4MEDIUMCVSS 6.1fixed in 7.6.112024-06-04
CVE-2023-46310 [MEDIUM] CWE-80 CVE-2023-46310: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVect Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through 7.6.10.
nvd
CVE-2024-35681P4MEDIUMCVSS 5.4fixed in 7.6.192024-06-08
CVE-2024-35681 [MEDIUM] CWE-79 CVE-2024-35681: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in gVectors Team wpDiscuz allows Stored XSS.This issue affects wpDiscuz: from n/a through 7.6.18.
nvd
CVE-2023-47185P4MEDIUMCVSS 6.1≤ 7.6.112023-11-06
CVE-2023-47185 [MEDIUM] CWE-79 CVE-2023-47185: Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11 versions.
nvd
CVE-2026-22210P4MEDIUMCVSS 6.1fixed in 7.6.472026-03-13
CVE-2026-22210 [MEDIUM] CWE-79 CVE-2026-22210: wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing
nvd
CVE-2024-2477P4MEDIUMCVSS 5.4fixed in 7.6.162024-04-23
CVE-2024-2477 [MEDIUM] CWE-79 CVE-2024-2477: The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scrip
nvd
CVE-2026-22183P4MEDIUMCVSS 5.4fixed in 7.6.472026-03-13
CVE-2026-22183 [MEDIUM] CWE-79 CVE-2026-22183: wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment pr wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX respo
nvd
CVE-2021-24806P4MEDIUMCVSS 4.3fixed in 7.3.42021-11-08
CVE-2021-24806 [MEDIUM] CWE-352 CVE-2021-24806: The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting com The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment.
nvd
CVE-2026-22209P4MEDIUMCVSS 4.8fixed in 7.6.472026-03-13
CVE-2026-22209 [MEDIUM] CWE-79 CVE-2026-22209: wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that all wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like alert(1) in the custom CSS setting to execute arbitrary JavaScript in user browsers.
nvd
CVE-2021-24737P4MEDIUMCVSS 4.8≤ 7.3.02021-10-11
CVE-2021-24737 [MEDIUM] CWE-79 CVE-2021-24737: The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Foll The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
nvd
CVE-2023-51691P4MEDIUMCVSS 4.8≤ 7.6.122024-02-01
CVE-2023-51691 [MEDIUM] CWE-79 CVE-2023-51691: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through 7.6.12.
nvd
Gvectors Wpdiscuz vulnerabilities | cvebase