CVE-2026-22210

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://wordpress.org/plugins/wpdiscuz/	Product
https://wordpress.org/plugins/wpdiscuz/#developers	Product Release Notes
https://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-attachment-urls	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2026-03-13 19:54

Updated : 2026-03-17 11:45

NVD link : CVE-2026-22210

Mitre link : CVE-2026-22210

CVE.ORG link : CVE-2026-22210

JSON object : View

Products Affected

gvectors

wpdiscuz

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-22210", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-13T19:54:11.220", "references": [{"url": "https://wordpress.org/plugins/wpdiscuz/", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://wordpress.org/plugins/wpdiscuz/#developers", "tags": ["Product", "Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-attachment-urls", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments."}, {"lang": "es", "value": "wpDiscuz antes de la versi\u00f3n 7.6.47 contiene una vulnerabilidad de cross-site scripting que permite a los atacantes inyectar c\u00f3digo malicioso a trav\u00e9s de URLs de adjuntos sin escapar en la salida HTML, explotando la clase WpdiscuzHelperUpload. Los atacantes pueden crear registros de adjuntos maliciosos o 'hooks' de filtro para inyectar JavaScript arbitrario en los atributos de las etiquetas img y anchor, ejecutando c\u00f3digo en el contexto de los usuarios de WordPress que ven los comentarios."}], "lastModified": "2026-03-17T11:45:35.723", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "A81F51B9-0C21-4F7E-876B-C09A66B9AE05", "versionEndExcluding": "7.6.47"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}