Files

2.4 KiB

Security Policy

Supported Versions

Version Supported
7.6.44
7.6.43
< 7.6.43

Reporting a Vulnerability

If you discover a security vulnerability within wpDiscuz, please send an email to info@gvectors.com. All security vulnerabilities will be promptly addressed.

Security Fixes

CVE-2025-68997 - IDOR Vulnerability (Fixed in 7.6.44)

Severity: Medium Type: Insecure Direct Object Reference (IDOR) Affected Actions: wpdVoteOnComment, wpdUserRate, wpdFollowUser, wpdAddSubscription

Description: AJAX actions exposed via admin-ajax.php were vulnerable to:

  1. Authorization bypass - voting on comments from private/restricted posts
  2. Mass abuse through direct HTTP requests bypassing frontend protections

Fix Applied:

  1. Authorization Check (IDOR fix):

    • Added post access validation to voteOnComment()
    • Verifies post exists and is published
    • Checks user has permission for private posts
    • Blocks access to password-protected post comments for guests
    • Uses $comment->comment_post_ID (actual post from DB) for authorization, not user-supplied postId parameter - prevents bypass via parameter manipulation
  2. Rate Limiting (Abuse prevention):

    • Server-side rate limiting on all sensitive AJAX actions
    • Rate limits: vote (20/min), rate (10/min), follow (15/min), subscribe (10/min)
    • Enhanced client fingerprinting (IP + User-Agent + Accept-Language)
    • Rate limiting executes BEFORE nonce validation for maximum protection

Files Modified:

  • utils/class.WpdiscuzHelper.php - Added checkRateLimit() and getClientFingerprint()
  • utils/class.WpdiscuzHelperAjax.php - Authorization check + rate limiting on voteOnComment(), userRate(), followUser()
  • utils/class.WpdiscuzHelperEmail.php - Rate limiting on addSubscription()
  • options/class.WpdiscuzOptions.php - Added wc_rate_limit_exceeded phrase

Verification: Security fix can be verified by checking for @security-fix CVE-2025-68997 annotations in the source code.

Security Best Practices

  1. Always keep wpDiscuz updated to the latest version
  2. Use HTTPS on your website
  3. Keep WordPress core and other plugins updated
  4. Use strong passwords for admin accounts
  5. Consider using a Web Application Firewall (WAF)