CVE-2026-9148
Summary
by MITRE • 07/03/2026
The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor() function, which interpolates the stored comment_author_url value directly into single-quoted HTML attributes without applying esc_url() or esc_attr(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/03/2026
The wpDiscuz plugin for WordPress represents a widely used commenting system that facilitates user interaction on wordpress websites through various comment-related functionalities. The vulnerability discovered affects versions up to and including 7.6.56, creating a significant security risk for wordpress site administrators who rely on this plugin for managing user comments. This particular flaw exists within the plugin's handling of guest commenter data, specifically targeting the website field that users can populate when submitting comments without authentication.
The technical vulnerability stems from improper output escaping within the getCommentAuthor() function which processes stored comment author URLs. When guest commenters provide a website URL in their comment submission, this value gets stored in the database and later retrieved for display purposes. The function fails to properly sanitize this stored data before embedding it into html attributes, specifically single-quoted html attributes where the url value is interpolated directly without appropriate escaping mechanisms. This flaw falls under the category of stored cross-site scripting vulnerabilities as described by cwe-079 and aligns with attack techniques documented in the mitre att&ck framework under tactic TA0001 (initial access) and technique T1190 (exploitation for client execution).
The operational impact of this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that will execute whenever any user accesses pages containing the maliciously injected content. This creates a persistent threat where malicious actors can compromise multiple users simply by submitting carefully crafted website URLs during comment submission. The stored nature of the vulnerability means that once the malicious script is injected, it remains active until manually removed from the database, potentially affecting all visitors to affected wordpress sites regardless of their authentication status. The attack vector specifically targets the guest commenting functionality, making it particularly dangerous for websites that allow public commenting without requiring user registration.
Mitigation strategies should focus on immediate plugin updates to versions that address this vulnerability, as well as implementing additional security measures such as input validation and output sanitization for all user-provided data. Administrators should also consider implementing content security policies to limit the execution of malicious scripts even if they are injected into the site. The vulnerability demonstrates the critical importance of proper output escaping in web applications, particularly when dealing with user-generated content that may be rendered in html contexts. Organizations should review their wpdiscuz configurations and ensure that all input fields undergo appropriate sanitization before being stored or displayed to prevent similar issues from occurring in other components of their wordpress installations.