TROYANOSYVIRUS
Back to CVEs

CVE-2026-22183

MEDIUM
6.1

Description

wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function in class.WpdiscuzHelperAjax.php without proper HTML escaping.

CVE Details

CVSS v3.1 Score6.1
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionREQUIRED
Published3/13/2026
Last Modified3/17/2026
Sourcenvd
Honeypot Sightings0

Affected Products

gvectors:wpdiscuz

Weaknesses (CWE)

CWE-79

References

https://wordpress.org/plugins/wpdiscuz/(disclosure@vulncheck.com)
https://wordpress.org/plugins/wpdiscuz/#developers(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/wpdiscuz-before-stored-cross-site-scripting-in-inline-comment-preview(disclosure@vulncheck.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.