CVE-2026-22204
Received Received - Intake
Email Header Injection in wpDiscuz via comment_author_email Cookie

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: VulnCheck

Description
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22204
EUVD
EUVD-2026-11749
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gvectors wpdiscuz to 7.6.47 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22204 is an email header injection vulnerability in wpDiscuz versions before 7.6.47. It occurs because the plugin uses the comment_author_email cookie value directly as a recipient in the wp_mail() function without proper sanitization.

Attackers can craft a malicious cookie containing encoded data that, when decoded by urldecode(), allows them to inject additional email headers or manipulate the mail recipients. This improper input validation enables attackers to alter email delivery behavior.

Impact Analysis

This vulnerability can allow attackers to manipulate email recipients or inject arbitrary headers into emails sent by the wpDiscuz plugin.

Such manipulation could lead to unauthorized emails being sent to unintended recipients, potentially causing information disclosure or misuse of the email system.

The CVSS v4 score of 6.3 indicates a moderate severity with low attack complexity and no privileges required, meaning it can be exploited remotely without user interaction.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves manipulation of the comment_author_email cookie to inject malicious email headers. Detection can focus on monitoring HTTP requests for suspicious or unusually encoded comment_author_email cookie values.'}, {'type': 'list_item', 'content': 'Use network traffic inspection tools (e.g., Wireshark or tcpdump) to capture HTTP requests and filter for the comment_author_email cookie.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP traffic on port 80: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'"}, {'type': 'list_item', 'content': 'Use grep or similar tools on web server logs to search for suspicious comment_author_email cookie values containing URL-encoded characters or newline characters that could indicate header injection attempts.'}, {'type': 'list_item', 'content': "Example grep command on Apache logs: grep 'comment_author_email=' /var/log/apache2/access.log | grep -E '%0a|%0d|\\n|\\r'"}] [1]

Mitigation Strategies

The primary mitigation is to update wpDiscuz to version 7.6.47 or later, where the vulnerability has been fixed.

Until the update can be applied, consider implementing input validation or sanitization on the comment_author_email cookie to prevent injection of newline or header characters.

Additionally, monitor email sending behavior for unexpected recipients or headers, and restrict access to the affected plugin if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22204. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart