Wpdiscuz Vulnerabilities

This vulnerability allows attackers to send unwanted notification emails to multiple email addresses by exploiting a flaw in the wpDiscuz plugin, which does not limit how many subscriptions can be made. The attacker does not need to be logged in, making it easy for anyone to abuse this issue by sending specially crafted requests.

This vulnerability allows attackers to send unauthorized requests that can reveal or change user follow relationships on wpDiscuz without proper security checks. To exploit this, the attacker needs to trick a logged-in user into clicking a malicious link while they are on the site.

This vulnerability allows attackers to inject malicious JavaScript into comments on WordPress sites using the wpDiscuz plugin, which can then execute when other users view those comments. It requires the attacker to create specially crafted attachment records or use specific hooks to exploit the issue, affecting users who interact with the comments.

This vulnerability allows an attacker with admin access to inject harmful scripts into the website's custom CSS settings, which can then run arbitrary JavaScript in the browsers of users visiting the site. This means that if an attacker can log in as an admin, they can potentially execute malicious actions on users' devices.

This vulnerability allows attackers to manipulate email recipients by injecting harmful data into a specific cookie used by the wpDiscuz plugin. To exploit this, the attacker needs to craft a malicious cookie value that the system processes, which can lead to unauthorized emails being sent to unintended recipients.

This vulnerability allows attackers to access sensitive API secrets, such as social login credentials, if administrators accidentally export plugin settings as JSON files. This can happen through support tickets, backups, or version control systems, making it crucial for administrators to handle these exports carefully.

This vulnerability allows attackers to permanently delete all comments linked to a specific email address by tricking users into clicking on a malicious link or image. It requires the attacker to have a valid HMAC key and can be exploited without any confirmation from the user, making it particularly dangerous.

This vulnerability allows attackers to bypass IP-based security measures, like rate limiting and bans, by pretending to be from a different IP address using manipulated HTTP headers. It affects versions of wpDiscuz before 7.6.47, meaning that if you’re using an older version, your site could be at risk from attackers who exploit this weakness.

This vulnerability allows attackers to manipulate comment votes on wpDiscuz by tricking the system into thinking they are different users, enabling them to vote multiple times. They can do this by changing their User-Agent headers and using a specific endpoint to get new voting tokens, which means they don't need to be logged in to exploit the issue.

This vulnerability allows attackers to manipulate database queries and potentially access sensitive information by injecting harmful SQL code through certain input fields in the wpDiscuz plugin. It affects versions before 7.6.47 and requires the attacker to send specially crafted data through parameters like email or subscription date.

This vulnerability allows authenticated attackers to inject harmful JavaScript into a website by uploading a specially crafted options file. It requires the attacker to have access to the site's backend and can lead to the malicious script running on every page viewed by users, compromising their experience and security.

This vulnerability allows an attacker to inject malicious JavaScript into comments on a website using the wpDiscuz plugin, which can then be executed when other users view those comments. To exploit this, the attacker must be an authenticated user with the ability to submit comments, and the website must not properly filter or escape the comment content.

This vulnerability allows an attacker to overwhelm subscribers with mass notification emails by exploiting a flaw in the wpDiscuz plugin, which lets anyone send repeated requests without proper checks. The attacker just needs to know the post and comment IDs, and they can easily flood users' inboxes without needing to log in.