5.1
CVE-2026-22209 - wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Custom CSS in Style Tag
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execuโฆ
6.3
CVE-2026-22204 - wpDiscuz before 7.6.47 - Unsanitized Cookie Email Used as wp_mail() Recipient
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail()โฆ
6.9
CVE-2026-22203 - wpDiscuz before 7.6.47 - Options Export Leaks OAuth Secrets in Plaintext
wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, โฆ
6.1
CVE-2026-22202 - wpDiscuz before 7.6.47 - Destructive GET Action Deletes All Comments by Email
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to tโฆ
6.9
CVE-2026-22201 - wpDiscuz before 7.6.47 - IP Address Spoofing in getIP()
wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumveโฆ
6.9
CVE-2026-22199 - wpDiscuz before 7.6.47 - Vote Manipulation via Nonce Oracle and IP Rotation
wpDiscuz before 7.6.47 contains a vote manipulation vulnerability that allows attackers to manipulate comment votes by obtaining fresh nonces and bypassing rate limiting through client-controlled headers. Attackers can vary User-Agent headers to reset rate limits, request nonces from the unauthentiโฆ
9.2
CVE-2026-22193 - wpDiscuz before 7.6.47 - SQL Injection in getAllSubscriptions()
wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulatโฆ
6.3
CVE-2026-22192 - wpDiscuz before 7.6.47 - Stored Cross-Site Scripting via Malicious Options Import
wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in tโฆ
6.9
CVE-2026-22191 - wpDiscuz before 7.6.47 - Server-Side Shortcode Injection via Email Notifications
wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like [contact-form-7] or [user_meta] in comments, which are executed server-siโฆ
5.3
CVE-2026-22183 - wpDiscuz before 7.6.47 - Stored Cross-Site Scripting in Inline Comment Preview
wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directโฆ