CVE-2026-22210
Cross-Site Scripting in wpDiscuz Attachment URL Handling
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gvectors | wpdiscuz | to 7.6.47 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22210 is a cross-site scripting (XSS) vulnerability found in wpDiscuz versions before 7.6.47. It occurs because the software does not properly escape attachment URLs in HTML output, specifically in the WpdiscuzHelperUpload class. Attackers can exploit this by creating malicious attachment records or using filter hooks to inject arbitrary JavaScript code into the attributes of img and anchor tags. This malicious code then executes in the context of WordPress users who view comments, potentially compromising their security.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of WordPress users viewing comments. This can lead to security issues such as session hijacking, theft of sensitive information, or performing actions on behalf of the user without their consent. The impact is limited to users who interact with the affected comments, and the overall confidentiality, integrity, and availability impacts are low to limited.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unescaped attachment URLs in wpDiscuz versions prior to 7.6.47, which can be exploited by injecting malicious JavaScript into img and anchor tag attributes in HTML output. Detection typically involves inspecting the HTML output of comments for suspicious or unexpected JavaScript code within attachment URLs.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to the WpdiscuzHelperUpload class handling attachment URLs, you can check the installed wpDiscuz version to see if it is older than 7.6.47.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerability include:'}, {'type': 'list_item', 'content': 'Check the wpDiscuz plugin version installed on your WordPress site by running: `wp plugin list | grep wpdiscuz` (using WP-CLI).'}, {'type': 'list_item', 'content': "Search for suspicious JavaScript in comment attachments by fetching comment pages and grepping for script tags or suspicious attributes, for example: `curl -s https://yourwordpresssite.com/comments-page | grep -E '<img[^>]*onerror|<a[^>]*javascript:'`."}, {'type': 'list_item', 'content': 'Review the database for malicious attachment records by querying the WordPress database for attachments with suspicious URLs or scripts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the wpDiscuz plugin to version 7.6.47 or later, where this cross-site scripting vulnerability has been fixed.
Additional immediate steps include:
- Temporarily disable the wpDiscuz plugin if updating is not immediately possible.
- Review and sanitize any existing attachment URLs or filter hooks that might have been exploited to inject malicious code.
- Implement web application firewall (WAF) rules to block suspicious JavaScript injection attempts in comment attachments.
- Educate users to avoid clicking on suspicious links or attachments in comments until the issue is resolved.