A security flow found in the wpDiscuz’s WordPress plugin which can allow hackers to inject malicious code easily on any website.
This vulnerability was first identified by security experts at Wordfence, who further confirms that with this flaw, hackers will also be able to execute PHP files and upload arbitrary files to the website where this plugin is installed.
wpDiscuz provides an alternative to the commenting system to WordPress, just like jetpack comments, Disqus, or any other famous commenting plugin.
This security flaw was first identified by Wordfence and had asked wpDiscuz to fix it, for that after a few days, the devs said they had fixed it. But later, in the latest update of the WordPress plugin, this issue was once again found to which wordfence took notice and told, the patch was unable to fix the security flaw as of now.
The issue was found in version 7 of the WordPress plugin, in the feature which allows users to upload images to the comments. The system is unable to detect if the file extension is of an image or malicious code.
As of now the best thing for the web developers who are using wpDiscuz is to move away from it if the plugin is not getting a patch within 24 hours, keeping the plugin would allow hackers to hack your sites and all the other sites associated with that host to be at the risk of hacking.
All is fixed! The problem is 100% fixed and wpDiscuz is safe. You can ignore this if you’ve already updated to 7.0.5 or higher version (current version is 7.0.6). This was fixed and the new version 7.0.5 was released a week ago before the security issue public report. There is not any issues with current wpDiscuz version. It’s 100% secure now. This kind of issues happens with almost all WordPress plugins, so there is no reason to worry if you’ve updated and up to date. Just keep updating your plugins and make sure you’re using the latest versions. About 50%… Read more »