Vulnerabilities and security researches forduoshuo duoshuo
Direction: ascendingAug 11, 2025
多说社会化评论框 # CVE-2025-49056
- CVE, Research URL
- Home page URL
- Application
- Date
- Aug 14, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shen2 多说社会化评论框 duoshuo allows Reflected XSS.This issue affects 多说社会化评论框: from n/a through <= 1.2.
- Affected versions
-
max 1.2.
- Status
-
vulnerable
Aug 30, 2025
多说社会化评论框 # CVE-2025-48318
- CVE, Research URL
- Home page URL
- Application
- Date
- Aug 28, 2025
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in shen2 多说社会化评论框 duoshuo allows Cross Site Request Forgery.This issue affects 多说社会化评论框: from n/a through <= 1.2.
- Affected versions
-
max 1.2.
- Status
-
vulnerable
Jul 10, 2026
多说社会化评论框 # CVE-2026-14482
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 08, 2026
- Research Description
- The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. The vulnerability exists due to a missing capability and nonce check on a directly web-accessible API endpoint, combined with a trivially forgeable HMAC-SHA1 signature keyed on an always-empty WordPress option, which allows the endpoint's `update_option` handler to pass attacker-controlled `option` and `value` parameters directly to WordPress's `update_option` function without any allowlist or sanitization. This makes it possible for unauthenticated attackers to update arbitrary WordPress options — such as setting `default_role` to `administrator` and enabling open registration — and subsequently register an account with full administrator privileges.
- Affected versions
-
max 1.2.
- Status
-
vulnerable