← voltar
CVE-2026-22210

wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Attachment URLs

CVSS 2.1 LOWEPSS 0.2%CWE-79
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Produtos afetados
gVectors · wpDiscuz

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://wordpress.org/plugins/wpdiscuz/https://wordpress.org/plugins/wpdiscuz/#developershttps://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-attachment-urls