CVE-2026-22209

MEDIUM

wpDiscuz < 7.6.47 - Authenticated Stored Cross-Site Scripting via Custom CSS Field

Title source: llm

Description

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execute arbitrary JavaScript in user browsers.

References (5)

Core 5

Core References

Product

https://github.com/themactep/thingino-firmware/releases/tag/firmware-2026-03-15

Third Party Advisory

https://www.vulncheck.com/advisories/thingino-firmware-api-cgi-unauthenticated-command-injection-in-captive-portal

Product patch

https://wordpress.org/plugins/wpdiscuz/#developers

Product product

https://wordpress.org/plugins/wpdiscuz/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-custom-css-in-style-tag

Scores

CVSS v3 5.5

EPSS 0.0022

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (5)

gVectors/wpDiscuz < 7.6.47

gvectors/wpdiscuz < 7.6.47

gVectors/wpDiscuz 7.6.47

themactep/thingino-firmware < commit e3f6a41

themactep/thingino-firmware < e3f6a41

Published Mar 13, 2026

Tracked Since Mar 14, 2026