Unrated severityNVD Advisory· Published Mar 13, 2026· Updated Mar 26, 2026

wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Custom CSS in Style Tag

CVE-2026-22209

Description

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execute arbitrary JavaScript in user browsers.

Affected products

Gvectors/Wpdiscuzv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wordpress.org/plugins/wpdiscuz/mitrepatch
www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-custom-css-in-style-tagmitrethird-party-advisory
wordpress.org/plugins/wpdiscuz/mitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000