CVE-2026-22204
Email Header Injection in wpDiscuz via comment_author_email Cookie
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gvectors | wpdiscuz | to 7.6.47 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22204 is an email header injection vulnerability in wpDiscuz versions before 7.6.47. It occurs because the plugin uses the comment_author_email cookie value directly as a recipient in the wp_mail() function without proper sanitization.
Attackers can craft a malicious cookie containing encoded data that, when decoded by urldecode(), allows them to inject additional email headers or manipulate the mail recipients. This improper input validation enables attackers to alter email delivery behavior.
How can this vulnerability impact me? :
This vulnerability can allow attackers to manipulate email recipients or inject arbitrary headers into emails sent by the wpDiscuz plugin.
Such manipulation could lead to unauthorized emails being sent to unintended recipients, potentially causing information disclosure or misuse of the email system.
The CVSS v4 score of 6.3 indicates a moderate severity with low attack complexity and no privileges required, meaning it can be exploited remotely without user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves manipulation of the comment_author_email cookie to inject malicious email headers. Detection can focus on monitoring HTTP requests for suspicious or unusually encoded comment_author_email cookie values.'}, {'type': 'list_item', 'content': 'Use network traffic inspection tools (e.g., Wireshark or tcpdump) to capture HTTP requests and filter for the comment_author_email cookie.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP traffic on port 80: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'"}, {'type': 'list_item', 'content': 'Use grep or similar tools on web server logs to search for suspicious comment_author_email cookie values containing URL-encoded characters or newline characters that could indicate header injection attempts.'}, {'type': 'list_item', 'content': "Example grep command on Apache logs: grep 'comment_author_email=' /var/log/apache2/access.log | grep -E '%0a|%0d|\\n|\\r'"}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update wpDiscuz to version 7.6.47 or later, where the vulnerability has been fixed.
Until the update can be applied, consider implementing input validation or sanitization on the comment_author_email cookie to prevent injection of newline or header characters.
Additionally, monitor email sending behavior for unexpected recipients or headers, and restrict access to the affected plugin if possible.