CVE-2026-22191
Shortcode Injection in wpDiscuz Email Notifications Enables Code Execution
Publication date: 2026-03-13
Last updated on: 2026-04-22
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gvectors | wpdiscuz | to 7.6.47 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22191 is a server-side shortcode injection vulnerability affecting wpDiscuz versions before 7.6.47. It allows attackers to embed arbitrary WordPress shortcodes within comment content that triggers email notifications.
When the WpdiscuzHelperEmail class processes these notifications, it uses the WordPress function do_shortcode() before sending emails via wp_mail(). This causes the injected shortcodes, such as [contact-form-7] or [user_meta], to be executed on the server side.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to the execution of arbitrary shortcodes on the server, which may result in unauthorized actions or information disclosure depending on the shortcode's functionality."}, {'type': 'paragraph', 'content': 'The CVSS v4 base score is 6.9, indicating a moderate severity with a network attack vector, low attack complexity, no privileges required, and no user interaction needed.'}, {'type': 'paragraph', 'content': 'The impact includes low confidentiality and integrity loss but no impact on availability.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting comment content that triggers email notifications for the presence of suspicious WordPress shortcodes such as [contact-form-7] or [user_meta]. Since the vulnerability involves server-side execution of shortcodes embedded in comments, monitoring or searching for these shortcode patterns in comment data or email notification content can help identify potential exploitation attempts.
Specific commands are not provided in the available resources, but a practical approach would be to search the database or comment storage for injected shortcode patterns. For example, using SQL queries to find comments containing shortcode patterns or using grep-like commands on exported comment data could be effective.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade wpDiscuz to version 7.6.47 or later, where this shortcode injection issue has been fixed.
Until the upgrade is applied, consider disabling or restricting email notifications triggered by comments or implementing input validation/sanitization to prevent shortcode injection in comment content.