2.4 KiB
2.4 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| 7.6.44 | ✅ |
| 7.6.43 | ✅ |
| < 7.6.43 | ❌ |
Reporting a Vulnerability
If you discover a security vulnerability within wpDiscuz, please send an email to info@gvectors.com. All security vulnerabilities will be promptly addressed.
Security Fixes
CVE-2025-68997 - IDOR Vulnerability (Fixed in 7.6.44)
Severity: Medium
Type: Insecure Direct Object Reference (IDOR)
Affected Actions: wpdVoteOnComment, wpdUserRate, wpdFollowUser, wpdAddSubscription
Description:
AJAX actions exposed via admin-ajax.php were vulnerable to:
- Authorization bypass - voting on comments from private/restricted posts
- Mass abuse through direct HTTP requests bypassing frontend protections
Fix Applied:
-
Authorization Check (IDOR fix):
- Added post access validation to
voteOnComment() - Verifies post exists and is published
- Checks user has permission for private posts
- Blocks access to password-protected post comments for guests
- Uses
$comment->comment_post_ID(actual post from DB) for authorization, not user-suppliedpostIdparameter - prevents bypass via parameter manipulation
- Added post access validation to
-
Rate Limiting (Abuse prevention):
- Server-side rate limiting on all sensitive AJAX actions
- Rate limits: vote (20/min), rate (10/min), follow (15/min), subscribe (10/min)
- Enhanced client fingerprinting (IP + User-Agent + Accept-Language)
- Rate limiting executes BEFORE nonce validation for maximum protection
Files Modified:
utils/class.WpdiscuzHelper.php- AddedcheckRateLimit()andgetClientFingerprint()utils/class.WpdiscuzHelperAjax.php- Authorization check + rate limiting onvoteOnComment(),userRate(),followUser()utils/class.WpdiscuzHelperEmail.php- Rate limiting onaddSubscription()options/class.WpdiscuzOptions.php- Addedwc_rate_limit_exceededphrase
Verification:
Security fix can be verified by checking for @security-fix CVE-2025-68997 annotations in the source code.
Security Best Practices
- Always keep wpDiscuz updated to the latest version
- Use HTTPS on your website
- Keep WordPress core and other plugins updated
- Use strong passwords for admin accounts
- Consider using a Web Application Firewall (WAF)