CVE-2026-22192 in wpDiscuz
Summary
by MITRE • 03/13/2026
wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in the customCss parameter that execute on every page when rendered through the options handler without proper sanitization.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
This vulnerability exists within the wpDiscuz plugin for WordPress systems, specifically affecting versions prior to 7.6.47. The flaw represents a classic stored cross-site scripting vulnerability that exploits the plugin's import functionality to persist malicious code within the system. The vulnerability stems from insufficient input validation and sanitization of the customCss field when processing imported configuration files, creating a persistent security risk that can affect all users of the affected plugin. The attack vector requires authentication, meaning that only users with valid credentials can exploit this weakness, though this does not mitigate the potential impact once compromised.
The technical implementation of this vulnerability occurs during the JSON import process where the plugin fails to properly escape or sanitize user-supplied content within the customCss parameter. When an attacker imports a crafted options file containing malicious JavaScript within the customCss field, this code becomes stored within the plugin's configuration database. The vulnerability is particularly dangerous because the malicious code executes every time the options handler renders the stored configuration data, making it a persistent threat that affects all visitors to pages using the compromised plugin. This stored nature means that even users without authentication can be affected when the malicious code executes in their browser context.
The operational impact of this vulnerability extends beyond simple code injection as it provides attackers with the ability to execute arbitrary JavaScript in the context of authenticated users' browsers. This capability enables various malicious activities including session hijacking, credential theft, data exfiltration, and potentially full system compromise if combined with other vulnerabilities. The attack requires a malicious JSON file that can be crafted to include script payloads within the customCss parameter, which when imported through the legitimate import mechanism, becomes permanently stored within the system. The vulnerability affects all users of the affected plugin regardless of their privilege level, making it particularly concerning for administrators and regular users alike.
Mitigation strategies for this vulnerability include immediate upgrade to wpDiscuz version 7.6.47 or later, which contains the necessary sanitization fixes for the customCss parameter. System administrators should also implement additional security measures such as monitoring import activities and restricting file upload capabilities to trusted users only. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear example of how insecure input handling can lead to persistent code execution vulnerabilities. From an attack perspective, this vulnerability maps to ATT&CK technique T1566.002 which covers the use of malicious file imports to establish persistence and execute malicious code within target environments. Organizations should also consider implementing web application firewalls to detect and block suspicious import activities, and conduct regular security audits of plugin configurations to identify any unauthorized modifications that could indicate exploitation attempts.