CVE-2018-20422

Name of the Vulnerable Software and Affected Versions DiscuzX version 3.4

Description The issue allows remote attackers to bypass authentication when WeChat login is enabled. This is achieved by leveraging a non-empty #wechat#common member wechatmp to gain login access to an account via a "plugin.php?ac=wxregister" request. The attacker does not have control over which account will be accessed.

Recommendations For DiscuzX version 3.4, as a temporary workaround, consider disabling WeChat login until a patch is available. Restrict access to the plugin.php endpoint, specifically the "ac=wxregister" request, to minimize the risk of exploitation. Avoid using the WeChat login feature in the affected version until the issue is resolved.