CVE-2026-22192
Received Received - Intake
Stored XSS in wpDiscuz Options Import Allows Persistent Script Injection

Publication date: 2026-03-13

Last updated on: 2026-04-22

Assigner: VulnCheck

Description
Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access controls and gain unauthorized access to protected management functionality without valid credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22192
EUVD
EUVD-2026-11743
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gvectors wpdiscuz to 7.6.47 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-22192 is a stored cross-site scripting (XSS) vulnerability in wpDiscuz versions before 7.6.47. It allows authenticated attackers to inject malicious JavaScript code by importing a specially crafted JSON options file. This file contains malicious scripts embedded in the "customCss" field, which is not properly sanitized. As a result, the injected script executes on every page rendered through the options handler.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious JavaScript code in the context of your website. This can lead to unauthorized actions such as stealing user credentials, hijacking user sessions, defacing the website, or performing other malicious activities that compromise the confidentiality and integrity of your site and its users.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the import of a crafted JSON options file containing malicious JavaScript payloads in the customCss field. Detection would involve monitoring or inspecting imported options files for suspicious or unexpected script content within the customCss parameter.

Since the vulnerability requires an authenticated attacker to import a malicious JSON file, detection can include auditing import activities and examining the contents of imported options files for embedded script tags or JavaScript code.

Specific commands are not provided in the available resources. However, a general approach could be to search the wpDiscuz options import files or database entries for suspicious patterns such as <script> tags or JavaScript event handlers within the customCss field.

Mitigation Strategies

The immediate mitigation step is to update wpDiscuz to version 7.6.47 or later, where the vulnerability has been fixed by implementing proper input sanitization on the options import feature.

Until the update can be applied, restrict or monitor the import of options files to prevent authenticated users from importing crafted JSON files containing malicious scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart