Does 多说社会化评论框 have any unpatched vulnerabilities?

Yes — 多说社会化评论框 currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is 多说社会化评论框 compatible with WordPress 3.6.1?

According to WordPress.org data, 多说社会化评论框 1.2 has been tested up to WordPress 3.6.1. Check the plugin's changelog for the latest compatibility information.

How often is 多说社会化评论框 updated?

多说社会化评论框 was last updated on Dec 18, 2015. Frequent updates are generally a positive security signal.

What is 多说社会化评论框's security score?

多说社会化评论框 has a WP-Safety security score of 42/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

多说社会化评论框 Security & Risk Analysis

wordpress.org/plugins/duoshuo

追求最佳用户体验的社会化评论框，为中小网站提供新浪微博、QQ、人人、开心、豆瓣等多帐号登录并评论功能。

70 active installs v1.2 PHP + WP 2.8+ Updated Dec 18, 2015

commentssharesocialspamweibo

D · High Risk

CVEs total2

Unpatched2

Last CVEAug 23, 2025

Plugin page Download

Safety Verdict

Is 多说社会化评论框 Safe to Use in 2026?

High Risk

Score 42/100

多说社会化评论框 carries significant security risk with 2 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

2 known CVEs 2 unpatched Last CVE: Aug 23, 2025Updated 10yr ago

Risk Assessment

The duoshuo v1.2 plugin presents a significant security risk due to several critical weaknesses. While the plugin does not utilize dangerous functions or make external HTTP requests, its static analysis reveals a concerning lack of security checks on its entry points. Specifically, both of the identified AJAX handlers lack authentication checks, creating a wide attack surface that could be exploited by unauthenticated users. Furthermore, the plugin exhibits poor output escaping practices, with only 26% of outputs being properly escaped, which can lead to cross-site scripting vulnerabilities. The vulnerability history further exacerbates these concerns, with two known unpatched medium severity CVEs, both related to Cross-Site Request Forgery and Cross-Site Scripting. These recurring vulnerability types suggest a pattern of insecure coding practices related to input handling and user interaction. While the presence of capability checks and prepared statements for SQL queries are positive signs, they are overshadowed by the critical flaws in authentication and output sanitization, alongside the unpatched vulnerabilities, leading to an overall poor security posture.

Key Concerns

AJAX handlers without authentication checks
High number of flows with unsanitized paths
Low percentage of properly escaped outputs
Two unpatched medium severity CVEs
No nonce checks on entry points

Vulnerabilities

多说社会化评论框 Security Vulnerabilities

CVEs by Year

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-48318medium · 4.3Cross-Site Request Forgery (CSRF)

多说社会化评论框 <= 1.2 - Cross-Site Request Forgery to Settings Update

Aug 23, 2025Unpatched

CVE-2025-49056medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

多说社会化评论框 <= 1.2 - Reflected Cross-Site Scripting

Aug 7, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

多说社会化评论框 Code Analysis

Dangerous Functions

Raw SQL Queries

10 prepared

Unescaped Output

143

49 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

45% prepared22 total queries

Output Escaping

26% escaped192 total outputs

Data Flows

11 unsanitized

Data Flow Analysis

12 flows11 with unsanitized paths

<oauth-proxy> (oauth-proxy.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

多说社会化评论框 Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_duoshuo_exportduoshuo.php:134

authwp_ajax_duoshuo_sync_logduoshuo.php:135

WordPress Hooks 37

actionadmin_noticesduoshuo.php:18

actionadmin_noticesduoshuo.php:28

actionadmin_noticesduoshuo.php:52

filterplugin_action_links_duoshuo/duoshuo.phpduoshuo.php:70

actionadmin_noticesduoshuo.php:78

actionadmin_noticesduoshuo.php:82

actionswitch_themeduoshuo.php:84

filterpost_row_actionsduoshuo.php:88

actionpost_comment_status_meta_box-optionsduoshuo.php:107

actionwp_dashboard_setupduoshuo.php:109

actionadmin_head-edit-comments.phpduoshuo.php:131

actionlogin_formduoshuo.php:149

actionregister_formduoshuo.php:150

filtercomments_templateduoshuo.php:157

filtercomments_popup_link_attributesduoshuo.php:160

filtercomments_numberduoshuo.php:161

actiontrackback_postduoshuo.php:165

actionpingback_postduoshuo.php:166

filtercomments_openduoshuo.php:176

actionset_auth_cookieduoshuo.php:177

actionclear_auth_cookieduoshuo.php:178

actionprofile_updateduoshuo.php:180

actionuser_registerduoshuo.php:181

actionwp_loginduoshuo.php:182

actionduoshuo_sync_log_cronduoshuo.php:185

actionadmin_menuduoshuo.php:350

actionadmin_initduoshuo.php:351

actionadmin_initduoshuo.php:352

actionadmin_initduoshuo.php:353

actioninitduoshuo.php:356

actionlogin_form_duoshuo_loginduoshuo.php:357

actionwidgets_initduoshuo.php:361

actionsave_postduoshuo.php:363

actionsave_postduoshuo.php:364

actionwp_headwidgets.php:14

actionwp_headwidgets.php:231

filterwp_kses_allowed_htmlWordPress.php:1010

Scheduled Events 1

duoshuo_sync_log_cron

Maintenance & Trust

多说社会化评论框 Maintenance & Trust

Maintenance Signals

WordPress version tested3.6.1

Last updatedDec 18, 2015

PHP min version

Downloads171K

Community Trust

Rating34/100

Number of ratings12

Active installs70

Alternatives

多说社会化评论框 Alternatives

Social Share, Social Login and Social Comments Plugin – Super Socializer

super-socializer

The unique Social Plugin to let you integrate Social Login, Social Share, Social Comments and Social Media follow at your website

20K 10 CVEs

FoxyBookmark

foxy-bookmark

For content by the visitor in social networks

10 No CVEs

Social Monster

social-features-for-wp

100

This plugin adds some social functionality to Wordpress. Such as FB comments, VK comments, share buttons etc.

10 No CVEs

Akismet Anti-spam: Spam Protection

akismet

The best anti-spam protection to block spam comments and spam in a contact form. The most trusted antispam solution for WordPress and WooCommerce.

6.0M 2 CVEs

Disable Comments – Remove Comments & Stop Spam [Multi-Site Support]

disable-comments

Allows administrators to globally disable comments on their site. Comments can be disabled according to post type. Multisite friendly.

1.0M 1 CVE

Developer Profile

多说社会化评论框 Developer Profile

shen2

1 plugin · 70 total installs

trust score

Avg Security Score

42/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect 多说社会化评论框

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/duoshuo/script.js/wp-content/plugins/duoshuo/comments.js/wp-content/plugins/duoshuo/admin.js/wp-content/plugins/duoshuo/images/menu-icon.png/wp-content/plugins/duoshuo/widgets.php

Script Paths

/wp-content/plugins/duoshuo/script.js/wp-content/plugins/duoshuo/comments.js/wp-content/plugins/duoshuo/admin.js

HTML / DOM Fingerprints

CSS Classes

ds-threadds-inline-feedds-meta

HTML Comments

Data Attributes

data-thread-keydata-urldata-titledata-slugdata-categorydata-author-key+3 more

JS Globals

DUOSHUOduoshuo

FAQ