wpDiscuz before 7.6.47 has a cross‑site scripting (XSS) vulnerability that allows attackers to inject arbitrary JavaScript by exploiting unescaped attachment URLs in the HTML output. The flaw resides in the WpdiscuzHelperUpload class and permits malicious code to be inserted into img and anchor tag attributes, which executes in the browser context of any WordPress user who views a comment containing the crafted attachment. This is a standard input validation weakness identified as CWE-79 and can lead to session hijacking, defacement, or the execution of further client‑side attacks.

All WordPress sites that use the gVectors wpDiscuz plugin with a version earlier than 7.6.47 are affected. The vulnerability applies to any instance where the plugin’s attachment URLs are rendered in comment HTML, as indicated by the CPE string cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*.

The CVSS score for this issue is 2.1, indicating low severity, and the EPSS score is less than 1%. The vulnerability is not listed in the CISA KEV catalog. Attackers would need the ability to create or modify attachment records within wpDiscuz, such as an administrator or a user with upload rights, to craft the malicious URLs. Because the exploit works purely client‑side, success depends on the victim visiting the affected comment. While the overall likelihood of exploitation is low, any XSS flaw presents a potential vector for user‑targeted attacks and should be remediated promptly.