Stored Cross-Site Scripting in wpDiscuz Plugin for WordPress
CVE-2026-9148

7.2HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
3 July 2026

What is CVE-2026-9148?

The wpDiscuz plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability that arises from inadequate output escaping in the 'Website' field for guest comments. The flaw is found in the getCommentAuthor() function, which fails to adequately sanitize the input from the comment_author_url. This allows unauthenticated attackers to embed malicious web scripts in pages, leading to execution whenever a user accesses the compromised page. Consequently, this vulnerability poses significant risk to users who interact with the wpDiscuz plugin.

Affected Version(s)

Comments – wpDiscuz 0 <= 7.6.56

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

mickeyjoe
.