Primary

Context

wpDiscuz Cross-Site Scripting Vulnerability via Unescaped Attachment URLs

Vulnerability

Patched

A cross-site scripting vulnerability has been identified in wpDiscuz versions prior to 7.6.47. This issue allows attackers to inject malicious code by exploiting unescaped attachment URLs in the HTML output, particularly through the WpdiscuzHelperUpload class. By crafting harmful attachment records or using filter hooks, attackers can embed arbitrary JavaScript into the attributes of image and anchor tags. This injected code is executed in the context of WordPress users who are viewing comments.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user viewing the comments.

Added: Mar 13, 2026, 8:08 PM

Updated: Mar 13, 2026, 8:08 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

5.2

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

5.2

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

wpDiscuz Cross-Site Scripting Vulnerability via Unescaped Attachment URLs

Vulnerability

Impact

Affected Products

AdvancedCoding wpDiscuz

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating