Comments – wpDiscuz

Changelog

IMPORTANT!

Please remember to delete all caches and purge CDN after the update.

Comments – wpDiscuz v7.6.51-v7.6.54 – 10.04.2026

  • Fixed: An issue with wpDiscuz nonce validation

Comments – wpDiscuz v7.6.50 – 02.04.2026

  • Fixed: An issue with wpDiscuz nonce validation
  • Added: Load wpDiscuz comments for block themes automatically
  • Added: Support for attachment preview replace (no need to re-upload all attachments anymore)

Comments – wpDiscuz v7.6.49 – 26.03.2026

  • Fixed: The images in the comments were displayed twice.

Comments – wpDiscuz v7.6.48 – 21.03.2026

  • Added: A new filter hook “wpdiscuz_show_vote” to allow hiding/showing vote buttons for certain comments.
  • Added: A new filter hook “wpdiscuz_post_attachments_as_gallery” to allow controlling whether a post’s attachments should be displayed as a gallery or not.
  • Fixed: Prevent adding unnecessary statistics on comment deletion.
  • Fixed: Guests can’t vote on guest comments.
  • Fixed: Issue with adding nonce in cookies that leads to an issue with nonce verification.

Comments – wpDiscuz v7.6.47 – 11.03.2026

  • Security: Unauth Email Notification Flood via wpdCheckNotificationType
  • Security: Stored XSS in Inline Comment Preview
  • Security: Shortcode Injection via Email Notifications
  • Security: Stored XSS via Malicious Options Import
  • Security: SQL Injection in getAllSubscriptions()
  • Security: Vote Manipulation via Nonce Oracle and IP Rotation
  • Security: IP Spoofing in getIP()
  • Security: Destructive GET Action — Delete All Comments by Email
  • Security: Options Export Leaks OAuth Secrets in Plaintext
  • Security: Unsanitized Cookie Email Used as wp_mail() Recipient
  • Security: XSS via Unescaped Custom CSS in Tag
  • Security: Unescaped Attachment URLs in HTML Output
  • Security: Missing Nonce on wpdGetFollowsPage
  • Security: No Rate Limiting on Subscription Endpoints + LIKE Wildcard Bypass

Comments – wpDiscuz v7.6.46 – 09.02.2026

  • Added: A new filter hook “wpdiscuz_is_update_nonce_with_ajax” to control nonce ajax requests for guests

Comments – wpDiscuz v7.6.45 – 19.01.2026

  • Added: A new filter hook “wpdiscuz_validate_nonce_for_guests” to control wpdGetNonce ajax requests for guest users

Comments – wpDiscuz v7.6.44 – 15.01.2026

  • Security: Fixed IDOR vulnerability in AJAX actions (CVE-2025-68997)
  • Security: Added post access authorization check to voteOnComment – uses $comment->comment_post_ID from database, not user-supplied postId (prevents parameter manipulation bypass)
  • Security: Added server-side rate limiting to AJAX actions (vote 20/min, rate 10/min, follow 15/min, subscribe 10/min)
  • Security: Rate limiting on voteOnComment, userRate, followUser, addSubscription
  • Security: Enhanced client fingerprinting (IP + User-Agent + Accept-Language)
  • Security: Rate limiting executes before nonce validation for maximum protection
  • Security: Object validation – verifies comment exists and is approved before processing
  • Security: Post status validation – blocks access to private/password-protected posts for unauthorized users

Comments – wpDiscuz v7.6.43 – 12.01.2026

  • Fixed: Insecure Direct Object References (IDOR) vulnerability

Comments – wpDiscuz v7.6.42 – 23.12.2025

  • Fixed: An issue with inline commenting in Elementor

Comments – wpDiscuz v7.6.41 – 22.12.2025

  • Updated: Added gutenberg toolbar button for inline feedback shortcode generation

Comments – wpDiscuz v7.6.40 – 09.12.2025

  • Fixed: Disqus login vulnerability

Plugin Website
Visit website

Version:
7.6.54
Last Updated
April 10, 2026
Active Installs
80000
Requires
WordPress 5.0
Tested Up To
WordPress 6.9.4
Requires PHP
5.6

Share Post

Join our newsletter.

Get insights into what’s happening at ChangelogWP right in your inbox. We don’t believe in spam.