Comments – wpDiscuz

IMPORTANT!

Please don’t forget delete all caches and purge CDN after the update.

Comments – wpDiscuz v7.6.46 – 09.02.2026

• Added: A new filter hook “wpdiscuz_is_update_nonce_with_ajax” to control nonce ajax requests for guests

Comments – wpDiscuz v7.6.45 – 19.01.2026

• Added: A new filter hook “wpdiscuz_validate_nonce_for_guests” to control wpdGetNonce ajax requests for guest users

Comments – wpDiscuz v7.6.44 – 15.01.2026

• Security: Fixed IDOR vulnerability in AJAX actions (CVE-2025-68997)
• Security: Added post access authorization check to voteOnComment – uses $comment->comment_post_ID from database, not user-supplied postId (prevents parameter manipulation bypass)
• Security: Added server-side rate limiting to AJAX actions (vote 20/min, rate 10/min, follow 15/min, subscribe 10/min)
• Security: Rate limiting on voteOnComment, userRate, followUser, addSubscription
• Security: Enhanced client fingerprinting (IP + User-Agent + Accept-Language)
• Security: Rate limiting executes before nonce validation for maximum protection
• Security: Object validation – verifies comment exists and is approved before processing
• Security: Post status validation – blocks access to private/password-protected posts for unauthorized users

Comments – wpDiscuz v7.6.43 – 12.01.2026

• Fixed: Insecure Direct Object References (IDOR) vulnerability

Comments – wpDiscuz v7.6.42 – 23.12.2025

• Fixed: An issue with inline commenting in Elementor

Comments – wpDiscuz v7.6.41 – 22.12.2025

• Updated: Added gutenberg toolbar button for inline feedback shortcode generation

Comments – wpDiscuz v7.6.40 – 09.12.2025

• Fixed: Disqus login vulnerability