CVE-2026-22191

CVSS v3.1

5.2

Medium

AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions wpDiscuz versions prior to 7.6.47

Description The software contains a shortcode injection issue that allows attackers to execute arbitrary shortcodes. This is achieved by including shortcodes in comment content sent via email notifications. Attackers can inject shortcodes such as [contact-form-7] or [user meta] within comments. These shortcodes are executed server-side when the WpdiscuzHelperEmail class processes notifications through the do shortcode() function before wp mail(). The do shortcode() function is used to process shortcodes within the comment content.

Recommendations Update wpDiscuz to version 7.6.47 or later.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336CWE-94

Related Identifiers

CVE-2026-22191

Affected Products

Sicuroweb

Wpdiscuz

CVE-2026-22191

Weakness Enumeration

Related Identifiers

Affected Products

References · 13