CVE-2026-22210
MEDIUM WAF: High
CVSS 6.1
Published: 2026-03-13
CWE-79
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.
WAF Coverage Analysis
Cross-Site Scripting (XSS)
High WAF Coverage
OWASP: A03:2021 Injection
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| gvectors | wpdiscuz | up to 7.6.47 |
References
- wordpress.org (Product)
- wordpress.org (Product, Release Notes)
- www.vulncheck.com (Third Party Advisory)