CVE-2026-22204

low-risk

Published 2026-03-13

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.7/10 Low

NETWORK / HIGH complexity

Affected Products (1)

Wpdiscuz

Affected Vendors

Gvectors

References (3)

Product https://wordpress.org/plugins/wpdiscuz/

Product https://wordpress.org/plugins/wpdiscuz/#developers

Third Party Advisory https://www.vulncheck.com/advisories/wpdiscuz-before-unsanitized-cookie-email-us...

/ 100

low-risk

Severity 13/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal