Home

Description

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.

PUBLISHED Reserved 2026-01-06 | Published 2026-03-13 | Updated 2026-03-13 | Assigner VulnCheck




LOW: 2.1CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
MEDIUM: 4.4CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

Any version before 7.6.47
affected

7.6.47
unaffected

Credits

Scott Moore - VulnCheck finder

References

wordpress.org/plugins/wpdiscuz/ (wpDiscuz Changelog) patch

wordpress.org/plugins/wpdiscuz/ (wpDiscuz) product

www.vulncheck.com/...scripting-via-unescaped-attachment-urls (VulnCheck Advisory: wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Attachment URLs) third-party-advisory

cve.org (CVE-2026-22210)

nvd.nist.gov (CVE-2026-22210)

Download JSON