CVE-2026-22210

Name of the Vulnerable Software and Affected Versions wpDiscuz versions prior to 7.6.47

Description The software contains a cross-site scripting issue that allows attackers to inject malicious code. This is achieved through unescaped attachment URLs in HTML output, specifically by exploiting the WpdiscuzHelperUpload class. Attackers can create malicious attachment records or utilize filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, leading to code execution within the context of WordPress users viewing comments.

Recommendations Update wpDiscuz to version 7.6.47 or later.