Description
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers.
Published: 2026-03-13
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Email Header Injection
Action: Upgrade
AI Analysis

Impact

wpDiscuz, a popular WordPress comment plugin, contains an email header injection vulnerability in versions before 7.6.47. The flaw allows an attacker to manipulate the value of the comment_author_email cookie. After the plugin performs an urldecode() and forwards the value directly to WordPress’ wp_mail() routine, a malicious user can insert header fields or alter the message’s recipients. This could enable spam, phishing, or other abuses of the site's mail system. The vulnerability is a classic input validation weakness mapped to CWE-20: Improper Input Validation.

Affected Systems

The affected product is the wpDiscuz WordPress plugin developed by gVectors. All installations using any wpDiscuz version prior to 7.6.47 are vulnerable. The CVE notes that the vulnerability applies to "wpDiscuz before 7.6.47", with no additional sub‑version granularity provided.

Risk and Exploitability

The CVSS base score for this issue is 6.3, indicating medium severity. EPSS is reported as less than 1%, suggesting exploitation attempts are unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely Remote Web (HTTP) since an attacker can set the comment_author_email cookie by sending a crafted request to the site. No authentication or elevated privileges are required; any user can set the cookie value. Given the low EPSS but moderate CVSS, the overall risk to an unpatched system is moderate, but the potential impact (unauthorized mail relay, spam, and possible phishing) warrants prompt mitigation.

Generated by OpenCVE AI on March 17, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wpDiscuz to version 7.6.47 or later
  • Verify that the plugin no longer processes unsanitized values from the comment_author_email cookie
  • If an update is not immediately possible, ensure the comment_author_email cookie is sanitized or removed before it is passed to wp_mail()
  • Monitor outgoing emails for abnormal headers or unintended recipients
  • Check the plugin’s official website or repository for patch notes and future updates

Generated by OpenCVE AI on March 17, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers.
Title wpDiscuz before 7.6.47 - Unsanitized Cookie Email Used as wp_mail() Recipient
First Time appeared Gvectors
Gvectors wpdiscuz
Weaknesses CWE-20
CPEs cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
Vendors & Products Gvectors
Gvectors wpdiscuz
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpdiscuz
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-13T16:07:30.506Z

Reserved: 2026-01-06T16:47:17.185Z

Link: CVE-2026-22204

cve-icon Vulnrichment

Updated: 2026-03-13T16:07:27.753Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:10.790

Modified: 2026-03-17T11:47:27.633

Link: CVE-2026-22204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:52Z

Weaknesses