CVE-2020-13640

CRITICAL EXPLOITED NUCLEI

Gvectors Wpdiscuz < 5.3.5 - SQL Injection

Title source: rule

Description

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)

Exploits (1)

nomisec WORKING POC 1 stars

by asterite3 · poc

https://github.com/asterite3/CVE-2020-13640

View Code ZIP pw:eip

Nuclei Templates (1)

wpDiscuz <= 5.3.5 - SQL Injection

CRITICALVERIFIEDby Sourabh-Sahu

FOFA: body="/wp-content/plugins/wpdiscuz"

References (5)

[Exploit, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2020/07/06/1

[Third Party Advisory] https://plugins.trac.wordpress.org/browser/wpdiscuz/tags/5.3.6

[Third Party Advisory] https://plugins.trac.wordpress.org/changeset/2323200

[Release Notes, Third Party Advisory] https://wordpress.org/plugins/wpdiscuz/#developers

[Patch, Vendor Advisory] https://wpdiscuz.com/community/news/security-vulnerability-issue-in-5-3-5-please-udate/

Scores

CVSS v3 9.8

EPSS 0.7395

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-12-06

CWE

CWE-89

Status published

Products (1)

gvectors/wpdiscuz < 5.3.5

Published Jun 18, 2020

Tracked Since Feb 18, 2026