CVE-2026-22204 is a medium-severity vulnerability affecting gVectors wpDiscuz versions prior to 7.6.47. The vulnerability stems from improper input validation of the comment_author_email cookie, which is used in the context of sending emails via the WordPress wp_mail() function. Specifically, attackers can craft a malicious cookie value containing email header injection payloads. When this cookie value is processed through PHP's urldecode() function and subsequently passed to wp_mail(), the injected headers can manipulate the email's recipients or add additional headers. This can lead to unauthorized email sending behaviors such as spamming, phishing, or bypassing email filters. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, partial attack traceability, no privileges required, no user interaction, no confidentiality or availability impact, and low integrity impact. No known exploits have been reported in the wild yet, but the flaw poses a risk to any WordPress site using vulnerable wpDiscuz versions. The lack of patch links suggests that a fix may be forthcoming or recently released. The vulnerability highlights the importance of proper input sanitization and validation when handling user-controllable data in email headers.

The primary impact of CVE-2026-22204 is the potential for attackers to manipulate email headers sent by vulnerable WordPress sites using wpDiscuz. This can enable unauthorized email recipient modification, allowing attackers to send spam or phishing emails that appear to originate from legitimate sites. Such abuse can damage organizational reputation, lead to blacklisting of mail servers, and facilitate social engineering attacks against users or customers. Although the vulnerability does not directly compromise confidentiality or availability, it undermines email integrity and trustworthiness. Organizations relying on wpDiscuz for comment management may face increased risk of email-based attacks and reputational harm. Additionally, widespread exploitation could result in increased spam volume and complicate incident response. The vulnerability's ease of exploitation without authentication or user interaction increases its risk profile, especially for high-traffic websites. However, the lack of known active exploits currently limits immediate impact.

Organizations should immediately verify their wpDiscuz plugin version and upgrade to version 7.6.47 or later once available to address this vulnerability. Until a patch is applied, administrators can implement strict input validation and sanitization on the comment_author_email cookie to reject or neutralize suspicious characters that could enable header injection (e.g., newline characters, carriage returns). Web application firewalls (WAFs) can be configured to detect and block malicious cookie payloads targeting email headers. Monitoring outgoing emails for unusual recipient patterns or unexpected headers can help identify exploitation attempts. Additionally, restricting the use of wp_mail() to trusted inputs and employing email sending libraries that automatically sanitize headers can reduce risk. Regular security audits and vulnerability scanning focused on WordPress plugins are recommended to detect similar issues proactively. Finally, educating site administrators about the risks of email header injection and maintaining timely updates of all plugins is essential.