The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor() function, which interpolates the stored comment_author_url value directly into single-quoted HTML attributes without applying esc_url() or esc_attr(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Advancedcoding
Advancedcoding comments – Wpdiscuz
Wordpress
Wordpress wordpress
Vendors & Products Advancedcoding
Advancedcoding comments – Wpdiscuz
Wordpress
Wordpress wordpress

Mon, 06 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 03 Jul 2026 08:00:00 +0000

Type Values Removed Values Added
Description The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor() function, which interpolates the stored comment_author_url value directly into single-quoted HTML attributes without applying esc_url() or esc_attr(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Comments <= 7.6.56 - Unauthenticated Stored Cross-Site Scripting via 'Website' Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-07-03T06:50:12.154Z

Updated: 2026-07-06T15:32:18.602Z

Reserved: 2026-05-20T21:18:38.233Z

Link: CVE-2026-9148

cve-icon Vulnrichment

Updated: 2026-07-06T15:32:14.563Z

cve-icon NVD

No data.

cve-icon Redhat

No data.