CVE-2026-22209

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-22209
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execute arbitrary JavaScript in user browsers.

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://wordpress.org/plugins/wpdiscuz/
https://wordpress.org/plugins/wpdiscuz/#developers
https://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-custom-css-in-style-tag
Configurations

Configuration 1 (hide)

cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
History

26 Mar 2026, 19:16

Type Values Removed Values Added
Summary (en) thingino-firmware up to commit e3f6a41 (published on 2026-03-15) contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise. (en) wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execute arbitrary JavaScript in user browsers.
CVSS v2 : unknown
v3 : 8.8 		v2 : unknown
v3 : 5.5
References
  • {'url': 'https://github.com/themactep/thingino-firmware/releases/tag/firmware-2026-03-15', 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.vulncheck.com/advisories/thingino-firmware-api-cgi-unauthenticated-command-injection-in-captive-portal', 'source': 'disclosure@vulncheck.com'}
  • () https://wordpress.org/plugins/wpdiscuz/ -
  • () https://wordpress.org/plugins/wpdiscuz/#developers -
  • () https://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-custom-css-in-style-tag -
CWE CWE-78 CWE-79

20 Mar 2026, 18:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.8 		v2 : unknown
v3 : 8.8
Summary
  • (es) El firmware de Thingino hasta la confirmación e3f6a41 (publicada el 15 de marzo de 2026) contiene una vulnerabilidad de inyección de comandos del sistema operativo sin autenticación en el script CGI del portal cautivo de WiFi, que permite a atacantes remotos ejecutar comandos arbitrarios como root mediante la inyección de código malicioso a través de nombres de parámetros HTTP no validados. Los atacantes pueden aprovechar la función eval en las funciones parse_query() y parse_post() para lograr la ejecución remota de código y realizar cambios de configuración con privilegios, incluyendo el restablecimiento de la contraseña de root y la modificación de authorized_keys de SSH, lo que da lugar a un compromiso total y persistente del dispositivo.

20 Mar 2026, 14:16

Type Values Removed Values Added
CWE CWE-79 CWE-78
References
  • {'url': 'https://wordpress.org/plugins/wpdiscuz/', 'tags': ['Product'], 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://wordpress.org/plugins/wpdiscuz/#developers', 'tags': ['Product', 'Release Notes'], 'source': 'disclosure@vulncheck.com'}
  • {'url': 'https://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-custom-css-in-style-tag', 'tags': ['Third Party Advisory'], 'source': 'disclosure@vulncheck.com'}
  • () https://github.com/themactep/thingino-firmware/releases/tag/firmware-2026-03-15 -
  • () https://www.vulncheck.com/advisories/thingino-firmware-api-cgi-unauthenticated-command-injection-in-captive-portal -
CVSS v2 : unknown
v3 : 5.5 		v2 : unknown
v3 : 4.8
Summary (en) wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execute arbitrary JavaScript in user browsers. (en) thingino-firmware up to commit e3f6a41 (published on 2026-03-15) contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise.

17 Mar 2026, 11:46

Type Values Removed Values Added
First Time Gvectors
Gvectors wpdiscuz
CPE cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
References () https://wordpress.org/plugins/wpdiscuz/ - () https://wordpress.org/plugins/wpdiscuz/ - Product
References () https://wordpress.org/plugins/wpdiscuz/#developers - () https://wordpress.org/plugins/wpdiscuz/#developers - Product, Release Notes
References () https://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-custom-css-in-style-tag - () https://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-custom-css-in-style-tag - Third Party Advisory

13 Mar 2026, 19:54

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-13 19:54

Updated : 2026-03-26 19:16

NVD link : CVE-2026-22209

Mitre link : CVE-2026-22209

CVE.ORG link : CVE-2026-22209

JSON object : View

Products Affected

gvectors

  • wpdiscuz
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')