CVE-2026-22191
Received Received - Intake
Shortcode Injection in wpDiscuz Email Notifications Enables Code Execution

Publication date: 2026-03-13

Last updated on: 2026-04-22

Assigner: VulnCheck

Description
Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by the AngularJS 1.5.2 runtime to achieve arbitrary JavaScript execution in operator browser sessions, with network-adjacent attackers able to deliver payloads via MITM injection in plaintext HTTP deployments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22191
EUVD
EUVD-2026-11742
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gvectors wpdiscuz to 7.6.47 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22191 is a server-side shortcode injection vulnerability affecting wpDiscuz versions before 7.6.47. It allows attackers to embed arbitrary WordPress shortcodes within comment content that triggers email notifications.

When the WpdiscuzHelperEmail class processes these notifications, it uses the WordPress function do_shortcode() before sending emails via wp_mail(). This causes the injected shortcodes, such as [contact-form-7] or [user_meta], to be executed on the server side.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to the execution of arbitrary shortcodes on the server, which may result in unauthorized actions or information disclosure depending on the shortcode's functionality."}, {'type': 'paragraph', 'content': 'The CVSS v4 base score is 6.9, indicating a moderate severity with a network attack vector, low attack complexity, no privileges required, and no user interaction needed.'}, {'type': 'paragraph', 'content': 'The impact includes low confidentiality and integrity loss but no impact on availability.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by inspecting comment content that triggers email notifications for the presence of suspicious WordPress shortcodes such as [contact-form-7] or [user_meta]. Since the vulnerability involves server-side execution of shortcodes embedded in comments, monitoring or searching for these shortcode patterns in comment data or email notification content can help identify potential exploitation attempts.

Specific commands are not provided in the available resources, but a practical approach would be to search the database or comment storage for injected shortcode patterns. For example, using SQL queries to find comments containing shortcode patterns or using grep-like commands on exported comment data could be effective.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade wpDiscuz to version 7.6.47 or later, where this shortcode injection issue has been fixed.

Until the upgrade is applied, consider disabling or restricting email notifications triggered by comments or implementing input validation/sanitization to prevent shortcode injection in comment content.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22191. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart