wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
gVectors wpDiscuz unaffected
Version Status Constraints
0 affected < 7.6.47
7.6.47 unaffected

No data.

No data.

No data.

Project Subscriptions

Vendors Products
Gvectors Subscribe
Wpdiscuz Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://wordpress.org/plugins/wpdiscuz/ cve-icon
https://wordpress.org/plugins/wpdiscuz/#developers cve-icon
https://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-attachment-urls cve-icon
History

Fri, 13 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.
Title wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Attachment URLs
First Time appeared Gvectors
Gvectors wpdiscuz
Weaknesses CWE-79
CPEs cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
Vendors & Products Gvectors
Gvectors wpdiscuz
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-13T14:14:59.813Z

Reserved: 2026-01-06T16:47:17.187Z

Link: CVE-2026-22210

cve-icon Vulnrichment

Updated: 2026-03-13T14:14:54.571Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses