A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HGvectors Wpdiscuz
APPGvectors7.0 – 7.0.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References
Related vulnerabilities
CVE-2026-22193CRITICAL9.2PL ✓ten sam produkt
SQL Injection w wtyczce WordPress wpDiscuz (getAllSubscriptions)
CVE-2024-9488CRITICAL9.8PL ✓ten sam produkt
Authentication bypass w pluginie wpDiscuz dla WordPress (do wersji 7.6.24)
CVE-2020-13640CRITICAL9.8ten sam produkt
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers ...
CVE-2026-22192HIGH8.8ten sam produkt
Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthent...
CVE-2026-22182HIGH8.7ten sam produkt
wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users...