Description
Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by the AngularJS 1.5.2 runtime to achieve arbitrary JavaScript execution in operator browser sessions, with network-adjacent attackers able to deliver payloads via MITM injection in plaintext HTTP deployments.
Published: 2026-03-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-side Shortcode Execution
Action: Patch Immediately
AI Analysis

Impact

wpDiscuz before version 7.6.47 allows attackers to inject and execute arbitrary shortcodes within comment content that is sent through email notifications. Because the notification processor invokes do_shortcode() on the comment body before calling wp_mail(), injected shortcodes such as [contact-form-7] or [user_meta] are evaluated server‑side. This can lead to unauthorized data retrieval or, depending on the shortcode’s capabilities, remote code execution. The primary impact is the potential compromise of confidentiality, integrity, or availability of the site’s data.

Affected Systems

The vulnerability affects installations of the gVectors wpDiscuz WordPress plugin up to, but not including, version 7.6.47. Any WordPress site that has wpDiscuz enabled and is configured to send comment notifications may be susceptible.

Risk and Exploitability

The CVSS score of 6.9 indicates substantial impact, while the EPSS score of less than 1 % suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. Attackers would need to be able to post comments that trigger email notifications; this can be achieved as a guest or authenticated user with comment privileges. Because the flaw relies on plaintext injection, elevated privileges beyond comment posting are not required. Given these factors, the overall risk remains high for organizations that enable comment notifications.

Generated by OpenCVE AI on March 19, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wpDiscuz to version 7.6.47 or later
  • Disable comment email notifications until the patch is applied

Generated by OpenCVE AI on March 19, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 22 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like [contact-form-7] or [user_meta] in comments, which are executed server-side when the WpdiscuzHelperEmail class processes notifications through do_shortcode() before wp_mail(). Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by the AngularJS 1.5.2 runtime to achieve arbitrary JavaScript execution in operator browser sessions, with network-adjacent attackers able to deliver payloads via MITM injection in plaintext HTTP deployments.
Title wpDiscuz before 7.6.47 - Server-Side Shortcode Injection via Email Notifications Beghelli Sicuro24 SicuroWeb AngularJS Template Injection
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Fri, 13 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like [contact-form-7] or [user_meta] in comments, which are executed server-side when the WpdiscuzHelperEmail class processes notifications through do_shortcode() before wp_mail().
Title wpDiscuz before 7.6.47 - Server-Side Shortcode Injection via Email Notifications
First Time appeared Gvectors
Gvectors wpdiscuz
Weaknesses CWE-94
CPEs cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
Vendors & Products Gvectors
Gvectors wpdiscuz
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpdiscuz
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-22T18:36:18.229Z

Reserved: 2026-01-06T16:47:17.183Z

Link: CVE-2026-22191

cve-icon Vulnrichment

Updated: 2026-03-13T14:16:38.049Z

cve-icon NVD

Status : Modified

Published: 2026-03-13T19:54:09.290

Modified: 2026-04-22T19:17:00.040

Link: CVE-2026-22191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:59Z

Weaknesses