cvedb.io
CVE-2026-22210
MEDIUM · CVSS 4.4
EPSS exploitation probability: 0%
Published 2026-03-13T19:54:11.220 · Last modified 2026-06-17T10:19:33.363

Summary

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.

Affected products

gvectors — wpdiscuz

Does this affect you?

Add your gear to cvedb and we'll alert you only when gvectors ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.