cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forduoshuo duoshuo

Direction: ascending
Aug 11, 2025

多说社会化评论框 # CVE-2025-49056

CVE, Research URL

CVE-2025-49056

Date
Aug 14, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shen2 多说社会化评论框 duoshuo allows Reflected XSS.This issue affects 多说社会化评论框: from n/a through <= 1.2.
Affected versions
max 1.2.
Status
vulnerable
Aug 30, 2025

多说社会化评论框 # CVE-2025-48318

CVE, Research URL

CVE-2025-48318

Date
Aug 28, 2025
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in shen2 多说社会化评论框 duoshuo allows Cross Site Request Forgery.This issue affects 多说社会化评论框: from n/a through <= 1.2.
Affected versions
max 1.2.
Status
vulnerable
Jul 10, 2026

多说社会化评论框 # CVE-2026-14482

CVE, Research URL

CVE-2026-14482

Date
Jul 08, 2026
Research Description
The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. The vulnerability exists due to a missing capability and nonce check on a directly web-accessible API endpoint, combined with a trivially forgeable HMAC-SHA1 signature keyed on an always-empty WordPress option, which allows the endpoint's `update_option` handler to pass attacker-controlled `option` and `value` parameters directly to WordPress's `update_option` function without any allowlist or sanitization. This makes it possible for unauthenticated attackers to update arbitrary WordPress options — such as setting `default_role` to `administrator` and enabling open registration — and subsequently register an account with full administrator privileges.
Affected versions
max 1.2.
Status
vulnerable