CVE-2026-22191 | THREATINT

Description

wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like [contact-form-7] or [user_meta] in comments, which are executed server-side when the WpdiscuzHelperEmail class processes notifications through do_shortcode() before wp_mail().

PUBLISHED Reserved 2026-01-06 | Published 2026-03-13 | Updated 2026-03-13 | Assigner VulnCheck

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

Improper Control of Generation of Code ('Code Injection')

Product status

Default status

unaffected

Any version before 7.6.47

affected

7.6.47

unaffected

Credits

Scott Moore - VulnCheck finder

References

wordpress.org/plugins/wpdiscuz/ (wpDiscuz Changelog) patch

wordpress.org/plugins/wpdiscuz/ (wpDiscuz) product

www.vulncheck.com/...tcode-injection-via-email-notifications (VulnCheck Advisory: wpDiscuz before 7.6.47 - Server-Side Shortcode Injection via Email Notifications) third-party-advisory

cve.org (CVE-2026-22191)

nvd.nist.gov (CVE-2026-22191)

Download JSON