Stored Cross-Site Scripting in wpDiscuz Plugin for WordPress
CVE-2026-9148
7.2HIGH
What is CVE-2026-9148?
The wpDiscuz plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability that arises from inadequate output escaping in the 'Website' field for guest comments. The flaw is found in the getCommentAuthor() function, which fails to adequately sanitize the input from the comment_author_url. This allows unauthenticated attackers to embed malicious web scripts in pages, leading to execution whenever a user accesses the compromised page. Consequently, this vulnerability poses significant risk to users who interact with the wpDiscuz plugin.
Affected Version(s)
Comments β wpDiscuz 0 <= 7.6.56