CVE-2026-22191

MEDIUM

wpDiscuz <7.6.47 - Code Injection

Title source: llm

Description

Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by the AngularJS 1.5.2 runtime to achieve arbitrary JavaScript execution in operator browser sessions, with network-adjacent attackers able to deliver payloads via MITM injection in plaintext HTTP deployments.

References (8)

[Product] https://wordpress.org/plugins/wpdiscuz/

[Product] https://wordpress.org/plugins/wpdiscuz/#developers

[Third Party Advisory] https://www.vulncheck.com/advisories/wpdiscuz-before-server-side-shortcode-injection-via-email-notifications

[Exploit] https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/

[Exploit] https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-POC.py

View Exploit ZIP pw:eip

[Technical Description] https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22191-SicuroWeb-ATI-chain.txt

[Product] https://www.beghelli.it

[Third Party Advisory] https://www.vulncheck.com/advisories/beghelli-sicuro24-sicuroweb-angularjs-template-injection

Scores

CVSS v3 5.2

EPSS 0.0001

EPSS Percentile 0.7%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-1336

Status published

Products (4)

Beghelli/SicuroWeb (Sicuro24)

gVectors/wpDiscuz < 7.6.47

gvectors/wpdiscuz < 7.6.47

gVectors/wpDiscuz 7.6.47

Published Mar 13, 2026

Tracked Since Mar 14, 2026