A security flow found in the wpDiscuz’s WordPress plugin which can allow hackers to inject malicious code easily on any website.
This vulnerability was first identified by security experts at Wordfence, who further confirms that with this flaw, hackers will also be able to execute PHP files and upload arbitrary files to the website where this plugin is installed.
wpDiscuz provides an alternative to the commenting system to WordPress, just like jetpack comments, Disqus, or any other famous commenting plugin.
This security flaw was first identified by Wordfence and had asked wpDiscuz to fix it, for that after a few days, the devs said they had fixed it. But later, in the latest update of the WordPress plugin, this issue was once again found to which wordfence took notice and told, the patch was unable to fix the security flaw as of now.
The issue was found in version 7 of the WordPress plugin, in the feature which allows users to upload images to the comments. The system is unable to detect if the file extension is of an image or malicious code.
As of now the best thing for the web developers who are using wpDiscuz is to move away from it if the plugin is not getting a patch within 24 hours, keeping the plugin would allow hackers to hack your sites and all the other sites associated with that host to be at the risk of hacking.