My Comment form has been hacked

You might get help from this link: https://codex.www.ads-software.com/FAQ_My_site_was_hacked

Thanks!

Just because you found malicious code in edit-comments.php does not mean there is a vulnerability there. Researching hack vectors is outside the scope of these forums because one needs full server access in order to do so. There are some significant liability issues with such access, ones that any random person on the Internet should not wish to incur if they knew enough to conduct such research.

If you do know the attack vector and want to report it, see this:
https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/

FWIW, most attack vectors are either outdated plugins or weak passwords. I’m not saying you are guilty of either of these, just stating in general for anyone else following along.

Sometime small things turn to be big things !
My Customer’s website using WordPress 4.3, it’s new and all plugin have updated !
The hacker encode it to utf-8 encode or hexa and post to comment form, then by some way, it inserts javascript to admin screen, in “edit-comment.php”

Is that WordPress security hole ? Maybe not !

Sorry for my english !

It’s not possible to tell if it’s a WordPress core issue or anything else by just looking at the symptom of the hack. If you do find the vulnerable code in WordPress core then subtly let us know and we’ll flag it up.