CVE-2026-22183 is a stored cross-site scripting vulnerability found in the wpDiscuz WordPress plugin, specifically affecting versions prior to 7.6.47. The flaw exists in the inline comment preview feature, where the getLastInlineComments() function in the class.WpdiscuzHelperAjax.php file returns AJAX responses containing user-submitted comment content without proper HTML escaping. Authenticated users who possess the unfiltered_html capability—which allows them to submit content without sanitization—can exploit this vulnerability by injecting malicious JavaScript code into comments. When these comments are rendered in the inline preview, the malicious script executes in the context of other users viewing the comments, potentially leading to session hijacking, privilege escalation, or other client-side attacks. The vulnerability does not require elevated privileges beyond unfiltered_html capability, nor does it require user interaction beyond submitting a comment. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, but user interaction is needed. The vulnerability scope is limited to the wpDiscuz plugin and the affected WordPress sites. No public exploits have been reported yet, but the vulnerability poses a risk to sites that allow unfiltered_html users to post comments. The issue was published on March 13, 2026, and is categorized as medium severity with a CVSS score of 5.3.

This vulnerability can lead to the execution of arbitrary JavaScript in the browsers of users who view the affected comments, compromising confidentiality and integrity of user sessions and data. Attackers could steal cookies, perform actions on behalf of other users, or deliver further malware payloads. While the vulnerability requires authenticated users with unfiltered_html capabilities, many WordPress sites grant this to trusted contributors or editors, increasing risk. The impact is primarily on the confidentiality and integrity of user data and site content, with limited direct availability impact. Exploitation could damage user trust and lead to reputational harm for affected organizations. Since wpDiscuz is a popular commenting plugin, many websites worldwide could be affected, especially those with active user communities and less restrictive user permissions. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks.

Organizations should immediately upgrade wpDiscuz to version 7.6.47 or later once available, as this will contain the necessary patches to properly escape user input in AJAX responses. Until patches are applied, restrict the unfiltered_html capability to the minimum number of trusted users, ideally only site administrators, to reduce the risk of malicious comment injection. Implement additional input validation and output encoding on comment content at the application level if possible. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious script injections in comment submissions and AJAX responses. Regularly audit user roles and permissions to ensure no unnecessary privileges are granted. Monitor logs for unusual comment activity or AJAX requests that may indicate exploitation attempts. Educate content moderators and administrators about the risks of granting unfiltered_html capabilities. Consider disabling inline comment previews if they are not essential to reduce attack surface.