← back
CVE-2026-22210

wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Attachment URLs

CVSS 2.1 LOWEPSS 0.2%CWE-79
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
gVectors · wpDiscuz

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wordpress.org/plugins/wpdiscuz/https://wordpress.org/plugins/wpdiscuz/#developershttps://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-attachment-urls