Unrated severityNVD Advisory· Published Mar 13, 2026· Updated Mar 13, 2026
wpDiscuz before 7.6.47 - Unsanitized Cookie Email Used as wp_mail() Recipient
CVE-2026-22204
Description
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- wordpress.org/plugins/wpdiscuz/mitrepatch
- www.vulncheck.com/advisories/wpdiscuz-before-unsanitized-cookie-email-used-as-wp-mail-recipientmitrethird-party-advisory
- wordpress.org/plugins/wpdiscuz/mitreproduct
News mentions
0No linked articles in our index yet.