CVE-2026-22204 is a medium-severity vulnerability affecting the wpDiscuz WordPress plugin developed by gVectors. The vulnerability stems from improper input validation of the comment_author_email cookie value. Attackers can craft a malicious cookie containing specially encoded data that, when decoded via urldecode() and passed to the WordPress wp_mail() function, results in email header injection. This allows attackers to manipulate the email headers, potentially changing recipients or injecting additional headers, which can be exploited for spam relay, phishing, or evading email filters. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on integrity but no impact on confidentiality or availability. Although no known exploits have been reported in the wild, the vulnerability poses a risk to any WordPress site using vulnerable versions of wpDiscuz prior to 7.6.47. The root cause is insufficient sanitization of user-controllable cookie data before it is used in email functions, highlighting the need for secure coding practices in handling input data that influences email headers.

The primary impact of this vulnerability is the potential for attackers to manipulate email headers sent by the affected WordPress sites, which can lead to unauthorized email recipient modification or injection of malicious headers. This can facilitate spam campaigns, phishing attacks, or bypassing email security controls such as SPF, DKIM, or DMARC. Organizations relying on wpDiscuz for comment management may experience reputational damage if their email infrastructure is abused for spam or malicious email distribution. Although the vulnerability does not directly compromise site confidentiality or availability, it undermines the integrity of email communications and can be leveraged as a stepping stone for broader social engineering attacks. The ease of exploitation without authentication increases the risk, especially for high-traffic websites with active comment sections. The threat is particularly relevant for organizations that rely heavily on email notifications generated by wpDiscuz, including e-commerce, media, and community platforms.

To mitigate this vulnerability, organizations should immediately upgrade wpDiscuz to version 7.6.47 or later where the issue is patched. If upgrading is not immediately possible, implement strict input validation and sanitization on the comment_author_email cookie to ensure it does not contain characters that can manipulate email headers, such as CR (carriage return) and LF (line feed). Employ application-layer firewalls or web application firewalls (WAFs) to detect and block suspicious cookie values indicative of header injection attempts. Additionally, review and harden email sending configurations to enforce strict header formatting and reject malformed emails. Monitoring outgoing email logs for unusual recipient patterns or header anomalies can help detect exploitation attempts. Educate developers on secure coding practices related to email header construction and user input handling to prevent similar vulnerabilities in the future.