CVE-2026-9148: The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is d
The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor() function, which interpolates the stored comment_author_url value directly into single-quoted HTML attributes without applying esc_url() or esc_attr(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-9148
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-91480.30% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 22% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-9148 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for Comments
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-13114: The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to…nvd · 2026-07-11
- mediumCVE-2026-11798: The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPr…nvd · 2026-07-08
- criticalCVE-2026-14740: DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an in…nvd · 2026-07-07
- mediumCVE-2026-9626: The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'co…nvd · 2026-07-03
- criticalCVE-2026-14740: DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an in…msrc · 2026-07-02
- mediumCVE-2026-57921: In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' priva…nvd · 2026-06-26
More from NVD Recent CVEs
- highCVE-2026-58281: Deserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized at…2026-07-11
- mediumCVE-2026-10660: The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap_broadcast_assi…2026-07-11
- lowCVE-2026-61870: ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memo…2026-07-11
- lowCVE-2026-61861: ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption…2026-07-11
- lowCVE-2026-61858: ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and ext…2026-07-11