Comments – wpDiscuz

IMPORTANT!

Please remember to delete all caches and purge CDN after the update.

Comments – wpDiscuz v7.6.51-v7.6.54 – 10.04.2026

• Fixed: An issue with wpDiscuz nonce validation

Comments – wpDiscuz v7.6.50 – 02.04.2026

• Fixed: An issue with wpDiscuz nonce validation
• Added: Load wpDiscuz comments for block themes automatically
• Added: Support for attachment preview replace (no need to re-upload all attachments anymore)

Comments – wpDiscuz v7.6.49 – 26.03.2026

• Fixed: The images in the comments were displayed twice.

Comments – wpDiscuz v7.6.48 – 21.03.2026

• Added: A new filter hook “wpdiscuz_show_vote” to allow hiding/showing vote buttons for certain comments.
• Added: A new filter hook “wpdiscuz_post_attachments_as_gallery” to allow controlling whether a post’s attachments should be displayed as a gallery or not.
• Fixed: Prevent adding unnecessary statistics on comment deletion.
• Fixed: Guests can’t vote on guest comments.
• Fixed: Issue with adding nonce in cookies that leads to an issue with nonce verification.

Comments – wpDiscuz v7.6.47 – 11.03.2026

• Security: Unauth Email Notification Flood via wpdCheckNotificationType
• Security: Stored XSS in Inline Comment Preview
• Security: Shortcode Injection via Email Notifications
• Security: Stored XSS via Malicious Options Import
• Security: SQL Injection in getAllSubscriptions()
• Security: Vote Manipulation via Nonce Oracle and IP Rotation
• Security: IP Spoofing in getIP()
• Security: Destructive GET Action — Delete All Comments by Email
• Security: Options Export Leaks OAuth Secrets in Plaintext
• Security: Unsanitized Cookie Email Used as wp_mail() Recipient
• Security: XSS via Unescaped Custom CSS in Tag
• Security: Unescaped Attachment URLs in HTML Output
• Security: Missing Nonce on wpdGetFollowsPage
• Security: No Rate Limiting on Subscription Endpoints + LIKE Wildcard Bypass

Comments – wpDiscuz v7.6.46 – 09.02.2026

• Added: A new filter hook “wpdiscuz_is_update_nonce_with_ajax” to control nonce ajax requests for guests

Comments – wpDiscuz v7.6.45 – 19.01.2026

• Added: A new filter hook “wpdiscuz_validate_nonce_for_guests” to control wpdGetNonce ajax requests for guest users

Comments – wpDiscuz v7.6.44 – 15.01.2026

• Security: Fixed IDOR vulnerability in AJAX actions (CVE-2025-68997)
• Security: Added post access authorization check to voteOnComment – uses $comment->comment_post_ID from database, not user-supplied postId (prevents parameter manipulation bypass)
• Security: Added server-side rate limiting to AJAX actions (vote 20/min, rate 10/min, follow 15/min, subscribe 10/min)
• Security: Rate limiting on voteOnComment, userRate, followUser, addSubscription
• Security: Enhanced client fingerprinting (IP + User-Agent + Accept-Language)
• Security: Rate limiting executes before nonce validation for maximum protection
• Security: Object validation – verifies comment exists and is approved before processing
• Security: Post status validation – blocks access to private/password-protected posts for unauthorized users

Comments – wpDiscuz v7.6.43 – 12.01.2026

• Fixed: Insecure Direct Object References (IDOR) vulnerability

Comments – wpDiscuz v7.6.42 – 23.12.2025

• Fixed: An issue with inline commenting in Elementor

Comments – wpDiscuz v7.6.41 – 22.12.2025

• Updated: Added gutenberg toolbar button for inline feedback shortcode generation

Comments – wpDiscuz v7.6.40 – 09.12.2025

• Fixed: Disqus login vulnerability