Plugin Name: wpDiscuz
- Software Type: Plugin
- Software Slug: wpdiscuz
- Software Status: Active
- Software Author: advancedcoding
- Software Downloads: 3,042,036
- Active Installs: 80,000
- Last Updated: November 17, 2023
- Patched Versions: 7.6.13
- Affected Versions: <= 7.6.12
- Name: wpDiscuz <= 7.6.12 - Authenticated (Administrator+) Stored Cross-Site Scripting
- Title: Authenticated (Administrator+) Stored Cross-Site Scripting
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVSS Score: 4.4 (Medium)
- Publicly Published: November 17, 2023
- Description: The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.6.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The wpDiscuz plugin for WordPress has a vulnerability in versions up to and including 7.6.12 that allows authenticated users with admin privileges to inject malicious scripts into pages. This vulnerability has been patched in version 7.6.13.
The vulnerability was reported by the Wordfence Threat Intelligence team on November 17, 2023. It affects wpDiscuz versions up to and including 7.6.12. The developer has released version 7.6.13 to address this issue by properly sanitizing and escaping user input.
This vulnerability poses a serious risk, as compromised admin accounts could be used to inject malicious scripts into pages to steal session cookies or sensitive information from users. While unauthenticated users are not directly affected, the injected scripts will execute for any user that views a compromised page.
Advice for Users:
- Immediate Action: Upgrade to wpDiscuz version 7.6.13 as soon as possible.
- Alternate Plugins: Consider a comment plugin like Disqus or Facebook Comments as a temporary precaution.
- Stay Updated: Always keep plugins updated and review changelog for security fixes.
This vulnerability highlights the ongoing need for secure coding practices and rapid response to disclosed issues by developers. Users should install the 7.6.13 patch immediately to prevent exploitation of this stored XSS flaw. Prompt updates are key to keeping WordPress sites secure.
About the wpDiscuz Plugin
The wpDiscuz plugin, developed by advancedcoding, is a popular comments plugin for WordPress with over 3 million downloads and 80,000 active installs. It allows site owners to customize and manage comments on their WordPress sites.
Details of the Vulnerability
The vulnerability was given a CVSS severity score of 4.4 out of 10, meaning it is ranked as a medium risk vulnerability.
This vulnerability poses a serious threat if exploited, as compromised admin accounts could inject malicious scripts across the site. Attackers could leverage this to steal session cookies, hijack accounts, or extract other sensitive information from users.
While unauthenticated users are not directly affected, the injected scripts will execute for any user that views a compromised page, exposing them to risk as well.
How to Check if Your Site is Vulnerable
Any site running wpDiscuz version 7.6.12 or below is likely vulnerable. Users should check their plugin version by going to Plugins > Installed Plugins in their WordPress dashboard.
How to Fix the Vulnerability
The developer has issued wpDiscuz version 7.6.13 to fix this vulnerability. Users should update to the latest version as soon as possible.
As a precaution, site owners can also consider switching to an alternate commenting plugin like Disqus or Facebook Comments until the update can be completed.
Importance of Staying Updated
This vulnerability underscores the critical importance of keeping your WordPress site updated. Developers release security patches for vulnerabilities like this frequently, so staying on top of updates for your plugins, themes, and WordPress core is essential.
At a minimum, site owners should have automatic background updates enabled for WordPress core. Monitoring your site's plugins and themes for updates regularly is also recommended.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.