Description
wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function in class.WpdiscuzHelperAjax.php without proper HTML escaping.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability in wpDiscuz allows an authenticated user who has the unfiltered_html capability to store malicious JavaScript within comment content. The stored script is returned unescaped in an AJAX response from the getLastInlineComments() function, forming part of the inline comment preview. When a victim views the preview, the injected code executes in the victim’s browser, enabling defacement, session hijacking, or other client‑side attacks. This is a classic stored XSS flavor (CWE‑79) affecting confidentiality and integrity of the user session, but not providing a direct remote execution vector on the server side.

Affected Systems

The flaw exists in wpDiscuz versions prior to 7.6.47, as provided by the gVectors Vendors product. Any WordPress installation running those affected plugin versions is potentially impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact. The EPSS score of less than 1% suggests low anticipated exploitation frequency, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to be a logged‑in user with the unfiltered_html capability; thus the attack vector is authenticated and requires administrative or author‑level permissions. Because the payload is delivered via an AJAX response, the vulnerability is exploitable without additional steps beyond comment submission.

Generated by OpenCVE AI on March 17, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the wpDiscuz update to version 7.6.47 or later to remediate the stored XSS flaw.
  • If an update is not immediately possible, restrict or remove the unfiltered_html capability from non‑trusted user roles to prevent script injection.

Generated by OpenCVE AI on March 17, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function in class.WpdiscuzHelperAjax.php without proper HTML escaping.
Title wpDiscuz before 7.6.47 - Stored Cross-Site Scripting in Inline Comment Preview
First Time appeared Gvectors
Gvectors wpdiscuz
Weaknesses CWE-79
CPEs cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
Vendors & Products Gvectors
Gvectors wpdiscuz
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gvectors Wpdiscuz
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-13T14:17:15.681Z

Reserved: 2026-01-06T16:47:17.182Z

Link: CVE-2026-22183

cve-icon Vulnrichment

Updated: 2026-03-13T14:17:09.173Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:07.713

Modified: 2026-03-17T20:28:54.657

Link: CVE-2026-22183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T10:00:00Z

Weaknesses