CVE-2026-22210
MEDIUMwpDiscuz < 7.6.47 - Cross-Site Scripting via Unescaped Attachment URLs
Title source: llmDescription
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.
References (3)
Core 3
Core References
Product patch
https://wordpress.org/plugins/wpdiscuz/#developers
Product product
https://wordpress.org/plugins/wpdiscuz/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-attachment-urls
Scores
CVSS v3
4.4
EPSS
0.0016
EPSS Percentile
5.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
gVectors/wpDiscuz
< 7.6.47
gvectors/wpdiscuz
< 7.6.47
gVectors/wpDiscuz
7.6.47
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026