CVE-2026-22191 is a code injection vulnerability affecting the wpDiscuz WordPress plugin versions prior to 7.6.47. The vulnerability arises from improper control over shortcode generation within comment content that is processed during email notification generation. Specifically, the WpdiscuzHelperEmail class calls the WordPress function do_shortcode() on comment content before sending email notifications via wp_mail(). This allows attackers to embed arbitrary shortcodes in comments, which are then executed on the server side. Since WordPress shortcodes can trigger various plugin or theme functionalities, malicious shortcodes like [contact-form-7] or [user_meta] can be used to execute unintended code paths, potentially leading to unauthorized actions or data exposure. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates a network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality and integrity. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to websites using vulnerable versions of wpDiscuz, especially those that rely on email notifications for comment moderation or user engagement. The lack of patch links suggests that users should monitor the vendor’s updates closely and apply patches promptly once available.

The primary impact of this vulnerability is unauthorized server-side code execution via shortcode injection, which can compromise the confidentiality and integrity of the affected WordPress site. Attackers could leverage this to execute arbitrary code, manipulate site content, access sensitive data, or escalate privileges depending on the shortcode capabilities and server configuration. Since the vulnerability is triggered during email notification processing, it could also be used to manipulate email content or cause denial of service by triggering resource-intensive shortcodes. Organizations relying on wpDiscuz for community engagement or comment management may face reputational damage, data breaches, or service disruptions. The ease of exploitation without authentication and user interaction increases the threat level, especially for high-traffic WordPress sites. However, the impact is somewhat limited by the scope of shortcode execution and the specific environment, which is why the CVSS score is medium rather than high or critical.

1. Upgrade wpDiscuz to version 7.6.47 or later immediately once available to apply the official patch addressing this vulnerability. 2. As a temporary mitigation, disable or restrict the use of shortcodes in comment content or email notifications if feasible. This can be done by customizing or overriding the WpdiscuzHelperEmail class to avoid calling do_shortcode() on untrusted input. 3. Implement strict input validation and sanitization on comment content to prevent injection of malicious shortcodes. 4. Monitor email notification logs and comment submissions for suspicious shortcode patterns or unusual activity. 5. Employ web application firewalls (WAFs) with rules targeting shortcode injection attempts in WordPress comment parameters. 6. Regularly audit installed plugins and their versions to ensure timely patching of known vulnerabilities. 7. Limit plugin permissions and isolate WordPress environments to reduce the impact of potential code execution. 8. Educate site administrators about the risks of shortcode injection and encourage best practices for plugin management.