Vulnerabilities and security researches foranycomment anycomment

Jun 07, 2024

CVE, Research URL: CVE-2021-24838
Home page URL: Security reports for AnyComment
Application: AnyComment
Date: Jan 17, 2022
Research Description: The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
Affected versions: max 0.3.5.
Status: vulnerable

CVE, Research URL: CVE-2022-0279
Home page URL: Security reports for AnyComment
Application: AnyComment
Date: Feb 21, 2022
Research Description: The AnyComment WordPress plugin before 0.2.18 is affected by a race condition when liking/disliking a comment/reply, which could allow any authenticated user to quickly raise their rating or lower the rating of other users
Affected versions: max 0.2.18.
Status: vulnerable

CVE, Research URL: CVE-2018-21001
Home page URL: Security reports for AnyComment
Application: AnyComment
Date: Aug 27, 2019
Research Description: The anycomment plugin before 0.0.33 for WordPress has XSS.
Affected versions: max 0.0.33.
Status: vulnerable

CVE, Research URL: CVE-2022-0134
Home page URL: Security reports for AnyComment
Application: AnyComment
Date: Feb 21, 2022
Research Description: The AnyComment WordPress plugin before 0.2.18 does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack
Affected versions: max 0.2.18.
Status: vulnerable

Nov 10, 2025

CVE, Research URL: CVE-2025-60240
Home page URL: Security reports for AnyComment
Application: AnyComment
Date: Nov 06, 2025
Research Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Alexander AnyComment anycomment allows PHP Local File Inclusion.This issue affects AnyComment: from n/a through <= 0.3.6.
Affected versions: max 0.3.6.
Status: vulnerable

CVE, Research URL: CVE-2025-48091
Home page URL: Security reports for AnyComment
Application: AnyComment
Date: Oct 22, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alexander AnyComment anycomment allows SQL Injection.This issue affects AnyComment: from n/a through <= 0.3.6.
Affected versions: max 0.3.6.
Status: vulnerable