CVE-2026-22204 | THREATINT

Description

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers.

PUBLISHED Reserved 2026-01-06 | Published 2026-03-13 | Updated 2026-03-13 | Assigner VulnCheck

MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

LOW: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

Improper Input Validation

Product status

Default status

unaffected

Any version before 7.6.47

affected

7.6.47

unaffected

Credits

Scott Moore - VulnCheck finder

References

wordpress.org/plugins/wpdiscuz/ (wpDiscuz Changelog) patch

wordpress.org/plugins/wpdiscuz/ (wpDiscuz) product

www.vulncheck.com/...-cookie-email-used-as-wp-mail-recipient (VulnCheck Advisory: wpDiscuz before 7.6.47 - Unsanitized Cookie Email Used as wp_mail() Recipient) third-party-advisory

cve.org (CVE-2026-22204)

nvd.nist.gov (CVE-2026-22204)

Download JSON