CVE-2026-22192

Name of the Vulnerable Software and Affected Versions wpDiscuz versions prior to 7.6.47

Description The software contains a stored cross-site scripting issue that permits authenticated attackers to inject malicious JavaScript. This is achieved by importing a specially crafted options file containing unescaped custom CSS field values. Attackers can provide a malicious JSON import file with script payloads within the customCss parameter. These payloads execute on every page when rendered through the options handler due to insufficient sanitization.

Recommendations Update wpDiscuz to version 7.6.47 or later.