Executive Summary

CVE-2026-22183 is a stored cross-site scripting (XSS) vulnerability in wpDiscuz versions before 7.6.47. It occurs in the inline comment preview feature, where authenticated users with unfiltered_html capabilities can inject malicious JavaScript code by submitting comments containing unescaped content.

This malicious script is then rendered in the AJAX response generated by the getLastInlineComments() function in the class WpdiscuzHelperAjax.php without proper HTML escaping, allowing the script to execute in the context of the affected website.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to execute stored malicious scripts on the affected site, which can compromise user data or the integrity of the website.

Because the attack is stored and executed in the context of the site, it can lead to unauthorized actions, data theft, or manipulation of site content, potentially affecting both site administrators and users.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious or malicious JavaScript code injected into comments submitted by authenticated users with unfiltered_html capabilities. Since the vulnerability involves stored cross-site scripting in the inline comment preview feature, inspecting AJAX responses from the getLastInlineComments() function for unescaped script content can help identify exploitation attempts.'}, {'type': 'paragraph', 'content': 'Commands to detect this might include using web application security scanners that look for stored XSS vulnerabilities in comment fields or manually inspecting HTTP traffic for suspicious script tags in AJAX responses related to comment previews.'}, {'type': 'paragraph', 'content': 'For example, using curl or wget to fetch the AJAX response and grep to search for script tags or suspicious content could be helpful:'}, {'type': 'list_item', 'content': "curl -s 'https://your-site.com/wp-admin/admin-ajax.php?action=getLastInlineComments' | grep -i '<script>'"}, {'type': 'list_item', 'content': 'Use browser developer tools to inspect AJAX responses for inline comment previews containing unescaped JavaScript.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade wpDiscuz to version 7.6.47 or later, where this stored cross-site scripting vulnerability has been fixed.

Additionally, restricting or reviewing user permissions to limit unfiltered_html capabilities can reduce the risk of exploitation by preventing unauthorized users from injecting malicious scripts.

Implementing web application firewalls (WAF) rules to detect and block suspicious script injections in comment content can also help mitigate the risk until the patch is applied.

Useful 0 Not Useful 0