Gvectors Vulnerabilities

This vulnerability allows attackers to send unwanted notification emails to multiple email addresses by exploiting a flaw in the wpDiscuz plugin, which does not limit how many subscriptions can be made. The attacker does not need to be logged in, making it easy for anyone to abuse this issue by sending specially crafted requests.

This vulnerability allows attackers to send unauthorized requests that can reveal or change user follow relationships on wpDiscuz without proper security checks. To exploit this, the attacker needs to trick a logged-in user into clicking a malicious link while they are on the site.

This vulnerability allows attackers to inject malicious JavaScript into comments on WordPress sites using the wpDiscuz plugin, which can then execute when other users view those comments. It requires the attacker to create specially crafted attachment records or use specific hooks to exploit the issue, affecting users who interact with the comments.

This vulnerability allows an attacker with admin access to inject harmful scripts into the website's custom CSS settings, which can then run arbitrary JavaScript in the browsers of users visiting the site. This means that if an attacker can log in as an admin, they can potentially execute malicious actions on users' devices.

This vulnerability allows attackers to manipulate email recipients by injecting harmful data into a specific cookie used by the wpDiscuz plugin. To exploit this, the attacker needs to craft a malicious cookie value that the system processes, which can lead to unauthorized emails being sent to unintended recipients.

This vulnerability allows attackers to access sensitive API secrets, such as social login credentials, if administrators accidentally export plugin settings as JSON files. This can happen through support tickets, backups, or version control systems, making it crucial for administrators to handle these exports carefully.

This vulnerability allows attackers to permanently delete all comments linked to a specific email address by tricking users into clicking on a malicious link or image. It requires the attacker to have a valid HMAC key and can be exploited without any confirmation from the user, making it particularly dangerous.

This vulnerability allows attackers to bypass IP-based security measures, like rate limiting and bans, by pretending to be from a different IP address using manipulated HTTP headers. It affects versions of wpDiscuz before 7.6.47, meaning that if you’re using an older version, your site could be at risk from attackers who exploit this weakness.

This vulnerability allows attackers to manipulate comment votes on wpDiscuz by tricking the system into thinking they are different users, enabling them to vote multiple times. They can do this by changing their User-Agent headers and using a specific endpoint to get new voting tokens, which means they don't need to be logged in to exploit the issue.

This vulnerability allows attackers to manipulate database queries and potentially access sensitive information by injecting harmful SQL code through certain input fields in the wpDiscuz plugin. It affects versions before 7.6.47 and requires the attacker to send specially crafted data through parameters like email or subscription date.

This vulnerability allows authenticated attackers to inject harmful JavaScript into a website by uploading a specially crafted options file. It requires the attacker to have access to the site's backend and can lead to the malicious script running on every page viewed by users, compromising their experience and security.

This vulnerability allows an attacker to inject malicious JavaScript into comments on a website using the wpDiscuz plugin, which can then be executed when other users view those comments. To exploit this, the attacker must be an authenticated user with the ability to submit comments, and the website must not properly filter or escape the comment content.

This vulnerability allows an attacker to overwhelm subscribers with mass notification emails by exploiting a flaw in the wpDiscuz plugin, which lets anyone send repeated requests without proper checks. The attacker just needs to know the post and comment IDs, and they can easily flood users' inboxes without needing to log in.

This vulnerability allows an attacker to extract sensitive information, like user credentials, from the WordPress database by manipulating a specific parameter in the wpForo forum software. It can be exploited without needing to log in, making it particularly dangerous for sites using version 2.4.14.

This vulnerability allows an attacker to inject malicious JavaScript into a forum's description, which can then run whenever any user views that forum. It requires either a compromised admin account or a multisite setup where the attacker can modify the forum description.

This vulnerability allows an attacker to inject malicious scripts that can run in the browsers of all visitors to a wpForo forum. It occurs when an attacker manipulates the forum's URL by including certain characters, which lets them break out of the intended code and execute their own scripts.

This vulnerability allows attackers to access private and unapproved forum topics by exploiting the RSS feed feature, even if they are not logged in. It occurs when they request the feed without specifying a forum ID, which skips important privacy checks meant to protect that information.

This vulnerability allows an attacker to execute malicious code in the web browsers of users who view their profile page by uploading a specially crafted SVG file as their avatar. To exploit this, the attacker must be an authenticated subscriber on the wpForo Forum platform.

This vulnerability allows an attacker, who is already logged in as an authenticated user, to change the user group assignments for all users in the wpForo forum to any WordPress role they choose. By exploiting this flaw, they can gain unauthorized access to sensitive areas of the forum or elevate their own privileges.

This vulnerability allows authenticated users, like regular subscribers, to move, merge, or split any forum topics without needing moderator permissions, potentially relocating sensitive discussions to private areas. To exploit this, the attacker must have a valid form nonce, which means they need to be logged into the forum.