Does WP Discourse have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Discourse have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Discourse compatible with WordPress 6.9.0?

According to WordPress.org data, WP Discourse 2.6.1 has been tested up to WordPress 6.9.0. Check the plugin's changelog for the latest compatibility information.

Is WP Discourse compatible with PHP 5.6+?

WP Discourse requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Discourse updated?

WP Discourse was last updated on Jan 29, 2026. Frequent updates are generally a positive security signal.

What is WP Discourse's security score?

WP Discourse has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Discourse Security & Risk Analysis

wordpress.org/plugins/wp-discourse

This plugin allows you to use Discourse as a community engine for your WordPress website. The plugin is not a substitute for Disqus type commenting sy …

1K active installs v2.6.1 PHP 5.6+ WP 5.1+ Updated Jan 29, 2026

commentsdiscourseforumsso

A · Safe

CVEs total2

Unpatched0

Last CVEOct 31, 2025

Plugin page Download

Safety Verdict

Is WP Discourse Safe to Use in 2026?

Generally Safe

Score 98/100

WP Discourse has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Oct 31, 2025Updated 2mo ago

Risk Assessment

The wp-discourse plugin version 2.6.1 exhibits a mixed security posture. On the positive side, the plugin demonstrates excellent output escaping practices with 100% of outputs being properly escaped, and it avoids dangerous functions and external HTTP requests. Furthermore, the vulnerability history indicates no currently unpatched CVEs, suggesting active maintenance and timely remediation of past issues.

However, significant concerns arise from the attack surface analysis. A substantial portion of the plugin's entry points, specifically 9 out of 13, are exposed without proper permission callbacks or authentication checks. This includes all 9 REST API routes and 4 AJAX handlers, presenting a large area for potential unauthorized access or manipulation if vulnerabilities exist within these endpoints. The taint analysis, while only covering one flow, did reveal an unsanitized path, which could be a gateway for attacks if exploited, though its severity is not classified as critical or high.

The vulnerability history shows two past medium-severity CVEs related to "Exposure of Sensitive Information to an Unauthorized Actor" and "Missing Authorization." While these are patched, the recurring theme of authorization issues in the past warrants caution, especially given the current lack of permission checks on a significant portion of its entry points. In conclusion, while the plugin has strong output handling and no active critical or high vulnerabilities, the large unprotected attack surface and past authorization-related vulnerabilities present a notable risk that requires careful monitoring and mitigation.

Key Concerns

Large attack surface without auth checks
REST API routes without permission callbacks
AJAX handlers without auth checks
SQL queries not using prepared statements
Taint flow with unsanitized paths
Past medium severity CVEs (x2)

Vulnerabilities

WP Discourse Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-11983medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

WP Discourse <= 2.5.9 - Authenticated (Author+) Information Exposure

Oct 31, 2025 Patched in 2.6.0 (1d)

CVE-2024-35168medium · 4.3Missing Authorization

WP Discourse <= 2.5.1 - Missing Authorization

May 10, 2024 Patched in 2.5.2 (6d)

Code Analysis

Analyzed Mar 16, 2026

WP Discourse Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

264 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared2 total queries

Output Escaping

100% escaped265 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

9 unprotected

WP Discourse Attack Surface

Entry Points13

Unprotected9

AJAX Handlers 4

authwp_ajax_text_options_resetadmin\configurable-text-settings.php:44

authwp_ajax_wpdc_view_logadmin\log-viewer.php:117

authwp_ajax_wpdc_view_logs_metafileadmin\log-viewer.php:118

authwp_ajax_wpdc_download_logsadmin\log-viewer.php:119

REST API Routes 9

GET/wp-json/wp-discourse/v1get-discourse-categoriesadmin\discourse-sidebar\discourse-sidebar.php:165

GET/wp-json/wp-discourse/v1update-topicadmin\discourse-sidebar\discourse-sidebar.php:180

GET/wp-json/wp-discourse/v1publish-topicadmin\discourse-sidebar\discourse-sidebar.php:194

GET/wp-json/wp-discourse/v1unlink-postadmin\discourse-sidebar\discourse-sidebar.php:208

GET/wp-json/wp-discourse/v1link-topicadmin\discourse-sidebar\discourse-sidebar.php:222

GET/wp-json/wp-discourse/v1set-publish-metaadmin\discourse-sidebar\discourse-sidebar.php:236

GET/wp-json/wp-discourse/v1set-category-metaadmin\discourse-sidebar\discourse-sidebar.php:250

GET/wp-json/wp-discourse/v1set-tag-metaadmin\discourse-sidebar\discourse-sidebar.php:265

GET/wp-json/wp-discourse/v1set-pin-metaadmin\discourse-sidebar\discourse-sidebar.php:280

WordPress Hooks 130

actionadmin_menuadmin\admin-menu.php:41

actionadmin_noticesadmin\admin-notice.php:30

actionadmin_initadmin\admin-notice.php:31

actionadmin_enqueue_scriptsadmin\admin.php:47

actionadmin_print_scriptsadmin\admin.php:49

actionadmin_initadmin\comment-settings.php:42

actionadmin_initadmin\configurable-text-settings.php:42

actionwpdc_options_page_after_formadmin\configurable-text-settings.php:43

actionadmin_initadmin\connection-settings.php:50

actioninitadmin\discourse-sidebar\discourse-sidebar.php:42

actionrest_api_initadmin\discourse-sidebar\discourse-sidebar.php:43

actionenqueue_block_editor_assetsadmin\discourse-sidebar\discourse-sidebar.php:44

actionadmin_initadmin\form-helper.php:51

actionadmin_noticesadmin\form-helper.php:337

actionadmin_noticesadmin\form-helper.php:339

actionadmin_noticesadmin\form-helper.php:348

actionadmin_initadmin\log-viewer.php:80

actionadmin_initadmin\log-viewer.php:81

actionadmin_initadmin\meta-box.php:38

actionadd_meta_boxesadmin\meta-box.php:39

actionsave_postadmin\meta-box.php:40

actionauto-draft_to_draftadmin\meta-box.php:41

actionadmin_initadmin\network-options.php:24

actionnetwork_admin_menuadmin\network-options.php:25

actionnetwork_admin_edit_discourse_network_optionsadmin\network-options.php:26

actionnetwork_admin_noticesadmin\network-options.php:28

actionadmin_initadmin\publish-settings.php:50

actionadmin_initadmin\settings-validator.php:85

filterwpdc_validate_urladmin\settings-validator.php:87

filterwpdc_validate_api_keyadmin\settings-validator.php:88

filterwpdc_validate_publish_usernameadmin\settings-validator.php:89

filterwpdc_validate_connection_logsadmin\settings-validator.php:90

filterwpdc_validate_publish_categoryadmin\settings-validator.php:92

filterwpdc_validate_publish_category_updateadmin\settings-validator.php:93

filterwpdc_validate_allow_tagsadmin\settings-validator.php:94

filterwpdc_validate_max_tagsadmin\settings-validator.php:95

filterwpdc_validate_publish_as_unlistedadmin\settings-validator.php:96

filterwpdc_validate_full_post_contentadmin\settings-validator.php:97

filterwpdc_validate_auto_publishadmin\settings-validator.php:98

filterwpdc_validate_force_publishadmin\settings-validator.php:99

filterwpdc_validate_force_publish_max_ageadmin\settings-validator.php:100

filterwpdc_validate_add_featured_linkadmin\settings-validator.php:101

filterwpdc_validate_auto_trackadmin\settings-validator.php:102

filterwpdc_validate_allowed_post_typesadmin\settings-validator.php:103

filterwpdc_validate_exclude_tagsadmin\settings-validator.php:104

filterwpdc_validate_publish_failure_noticeadmin\settings-validator.php:105

filterwpdc_validate_publish_failure_emailadmin\settings-validator.php:106

filterwpdc_validate_hide_discourse_name_fieldadmin\settings-validator.php:107

filterwpdc_validate_discourse_username_editableadmin\settings-validator.php:108

filterwpdc_validate_direct_db_publication_flagsadmin\settings-validator.php:109

filterwpdc_validate_verbose_publication_logsadmin\settings-validator.php:110

filterwpdc_validate_enable_discourse_commentsadmin\settings-validator.php:112

filterwpdc_validate_comment_typeadmin\settings-validator.php:113

filterwpdc_validate_cache_htmladmin\settings-validator.php:114

filterwpdc_validate_clear_cached_comment_htmladmin\settings-validator.php:115

filterwpdc_validate_ajax_loadadmin\settings-validator.php:116

filterwpdc_validate_load_comment_cssadmin\settings-validator.php:117

filterwpdc_validate_discourse_new_tabadmin\settings-validator.php:118

filterwpdc_validate_hide_wordpress_commentsadmin\settings-validator.php:119

filterwpdc_validate_show_existing_commentsadmin\settings-validator.php:120

filterwpdc_validate_existing_comments_headingadmin\settings-validator.php:121

filterwpdc_validate_max_commentsadmin\settings-validator.php:122

filterwpdc_validate_min_repliesadmin\settings-validator.php:123

filterwpdc_validate_min_scoreadmin\settings-validator.php:124

filterwpdc_validate_min_trust_leveladmin\settings-validator.php:125

filterwpdc_validate_bypass_trust_level_scoreadmin\settings-validator.php:126

filterwpdc_validate_custom_excerpt_lengthadmin\settings-validator.php:127

filterwpdc_validate_custom_datetime_formatadmin\settings-validator.php:128

filterwpdc_validate_only_show_moderator_likedadmin\settings-validator.php:129

filterwpdc_validate_display_subcategoriesadmin\settings-validator.php:130

filterwpdc_validate_verbose_comment_logsadmin\settings-validator.php:131

filterwpdc_validate_discourse_link_textadmin\settings-validator.php:133

filterwpdc_validate_start_discussion_textadmin\settings-validator.php:134

filterwpdc_validate_continue_discussion_textadmin\settings-validator.php:135

filterwpdc_validate_join_discussion_textadmin\settings-validator.php:136

filterwpdc_validate_comments_singular_textadmin\settings-validator.php:137

filterwpdc_validate_comments_plural_textadmin\settings-validator.php:138

filterwpdc_validate_no_comments_textadmin\settings-validator.php:139

filterwpdc_validate_notable_replies_textadmin\settings-validator.php:140

filterwpdc_validate_comments_not_available_textadmin\settings-validator.php:141

filterwpdc_validate_participants_textadmin\settings-validator.php:142

filterwpdc_validate_published_at_textadmin\settings-validator.php:143

filterwpdc_validate_single_reply_textadmin\settings-validator.php:144

filterwpdc_validate_many_replies_textadmin\settings-validator.php:145

filterwpdc_validate_more_replies_more_textadmin\settings-validator.php:146

filterwpdc_validate_external_login_textadmin\settings-validator.php:147

filterwpdc_validate_link_to_discourse_textadmin\settings-validator.php:148

filterwpdc_validate_linked_to_discourse_textadmin\settings-validator.php:149

filterwpdc_validate_use_discourse_webhookadmin\settings-validator.php:151

filterwpdc_validate_webhook_match_old_topicsadmin\settings-validator.php:152

filterwpdc_validate_use_discourse_user_webhookadmin\settings-validator.php:153

filterwpdc_validate_webhook_match_user_emailadmin\settings-validator.php:154

filterwpdc_validate_webhook_secretadmin\settings-validator.php:155

filterwpdc_validate_verbose_webhook_logsadmin\settings-validator.php:156

filterwpdc_validate_sso_client_enabledadmin\settings-validator.php:158

filterwpdc_validate_sso_client_login_form_changeadmin\settings-validator.php:159

filterwpdc_validate_sso_client_login_form_redirectadmin\settings-validator.php:160

filterwpdc_validate_sso_client_sync_by_emailadmin\settings-validator.php:161

filterwpdc_validate_sso_client_sync_logoutadmin\settings-validator.php:162

filterwpdc_validate_enable_ssoadmin\settings-validator.php:164

filterwpdc_validate_auto_create_sso_useradmin\settings-validator.php:165

filterwpdc_validate_verbose_sso_logsadmin\settings-validator.php:166

filterwpdc_validate_sso_secretadmin\settings-validator.php:168

filterwpdc_validate_login_pathadmin\settings-validator.php:169

filterwpdc_validate_real_name_as_discourse_nameadmin\settings-validator.php:170

filterwpdc_validate_force_avatar_updateadmin\settings-validator.php:171

filterwpdc_validate_redirect_without_loginadmin\settings-validator.php:172

filterwpdc_validate_site_multisite_configuration_enabledadmin\settings-validator.php:174

filterwpdc_validate_site_urladmin\settings-validator.php:175

filterwpdc_validate_site_api_keyadmin\settings-validator.php:176

filterwpdc_validate_site_publish_usernameadmin\settings-validator.php:177

filterwpdc_validate_site_use_discourse_webhookadmin\settings-validator.php:178

filterwpdc_validate_site_webhook_match_old_topicsadmin\settings-validator.php:179

filterwpdc_validate_site_webhook_secretadmin\settings-validator.php:180

filterwpdc_validate_site_webhook_match_user_emailadmin\settings-validator.php:181

filterwpdc_validate_site_use_discourse_user_webhookadmin\settings-validator.php:182

filterwpdc_validate_site_hide_discourse_name_fieldadmin\settings-validator.php:183

filterwpdc_validate_site_sso_secretadmin\settings-validator.php:184

filterwpdc_validate_site_enable_ssoadmin\settings-validator.php:185

filterwpdc_validate_site_sso_client_enabledadmin\settings-validator.php:186

actionadmin_initadmin\sso-settings.php:66

actionwpdc_options_page_append_settings_tabsadmin\sso-settings.php:67

actionwpdc_options_page_after_tab_switchadmin\sso-settings.php:68

actioninitadmin\user-profile.php:28

actionedit_user_profileadmin\user-profile.php:29

actionshow_user_profileadmin\user-profile.php:31

actionedit_user_profile_updateadmin\user-profile.php:32

actionpersonal_options_updateadmin\user-profile.php:34

actionadmin_initadmin\webhook-settings.php:50

actioninitblocks\comments\comments.php:55

Maintenance & Trust

WP Discourse Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0

Last updatedJan 29, 2026

PHP min version5.6

Downloads124K

Community Trust

Rating90/100

Number of ratings8

Active installs1K

Alternatives

WP Discourse Alternatives

PrimeTime WordPress + Discourse SSO

pt-wp-discourse-sso

This plugin provides single sign-on capabilities for Discourse using WordPress user authentication.

10 No CVEs

La Sentinelle antispam

la-sentinelle-antispam

100

Feel safe knowing that your website is safe from spam. La Sentinelle will guard your WordPress website against spam in a simple and effective way.

3K No CVEs

Post Comments as bbPress Topics

bbpress-post-topics

100

Replace the comments on your WordPress blog posts with topics from an integrated bbPress install

300 1 CVE

Muut – Commenting and Forums Re-Imagined

muut

Muut represents a complete re-imagination of what internet discussion forums and commenting should be. It’s a modern, fast, highly scalable discussion …

50 No CVEs

Bainternet User Ranks

bainternet-user-ranks

Create and display user rank titles based on there post count, comment count or both.

10 No CVEs

Developer Profile

WP Discourse Developer Profile

scossar

1 plugin · 1K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

4 days

View full developer profile

Detection Fingerprints

How We Detect WP Discourse

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-discourse/css/admin-styles.css/wp-content/plugins/wp-discourse/js/admin.js/wp-content/plugins/wp-discourse/admin/css/network-admin-styles.css

Script Paths

/wp-content/plugins/wp-discourse/js/admin.js

Version Parameters

wp-discourse/css/admin-styles.css?ver=wp-discourse/js/admin.js?ver=wp-discourse/admin/css/network-admin-styles.css?ver=

HTML / DOM Fingerprints

CSS Classes

wpdc-adminwpdc-discourse-sync-statuswpdc-discourse-publish-settingswpdc-discourse-comment-settingswpdc-discourse-connection-settingswpdc-discourse-sso-settingswpdc-discourse-webhook-settings

HTML Comments

WP-Discourse admin settingsAdd the Gutenberg Sidebar.

Data Attributes

data-max-tagsdata-ajaxdata-nonce

JS Globals

wpdc

FAQ