CVE-2026-22204 — LOW (3.7) — White Hats Nepal

Q: How severe is CVE-2026-22204?

CVE-2026-22204 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-22204?

Check the references section above for vendor advisories and patch information. Affected products include: Gvectors Wpdiscuz.

Vulnerability Description

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Gvectors	Wpdiscuz	< 7.6.47

Related Weaknesses (CWE)

CWE-20

References

https://wordpress.org/plugins/wpdiscuz/Product
https://wordpress.org/plugins/wpdiscuz/#developersProductRelease Notes
https://www.vulncheck.com/advisories/wpdiscuz-before-unsanitized-cookie-email-usThird Party Advisory

FAQ

What is CVE-2026-22204?

CVE-2026-22204 is a vulnerability with a CVSS score of 3.7 (LOW). wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers ...

How severe is CVE-2026-22204?

CVE-2026-22204 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-22204?

Check the references section above for vendor advisories and patch information. Affected products include: Gvectors Wpdiscuz.