CVE-2026-22204

LOW

wpDiscuz <7.6.47 - Email Header Injection

Title source: llm

Description

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers.

References (3)

[Product] https://wordpress.org/plugins/wpdiscuz/#developers

[Product] https://wordpress.org/plugins/wpdiscuz/

[Third Party Advisory] https://www.vulncheck.com/advisories/wpdiscuz-before-unsanitized-cookie-email-used-as-wp-mail-recipient

Scores

CVSS v3 3.7

EPSS 0.0005

EPSS Percentile 16.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (3)

gVectors/wpDiscuz < 7.6.47

gvectors/wpdiscuz < 7.6.47

gVectors/wpDiscuz 7.6.47

Published Mar 13, 2026

Tracked Since Mar 14, 2026