CVE-2026-22204 in wpDiscuz
Summary
by MITRE • 03/13/2026
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The wpDiscuz plugin for wordpress presents a critical email header injection vulnerability identified as CVE-2026-22204 affecting versions prior to 7.6.47. This vulnerability resides in the comment author email handling mechanism where the plugin fails to properly sanitize user-supplied data before incorporating it into email headers. The flaw specifically manifests when the comment_author_email cookie value is processed through the urldecode() function and subsequently passed to wordpress's wp_mail() function without adequate input validation or sanitization measures.
The technical exploitation of this vulnerability occurs through manipulation of the comment_author_email cookie value which contains maliciously crafted data designed to inject additional headers into the email transmission process. When an attacker crafts a specially formatted cookie value that includes newline characters or header injection sequences, these malicious elements bypass normal input validation and are interpreted by the mail function as legitimate header directives. The vulnerability leverages the inherent trust placed in cookie data without proper sanitization, allowing attackers to manipulate the email recipient list or inject additional headers that could redirect emails or modify their content.
This vulnerability creates significant operational impact for wordpress sites utilizing wpDiscuz as it enables attackers to perform unauthorized email redirection and potentially gain access to sensitive information through email header manipulation. The attack vector is particularly concerning because it requires minimal user interaction beyond cookie manipulation, making it suitable for automated exploitation. Attackers could redirect notification emails to their own addresses, potentially intercepting comments or notifications intended for legitimate site administrators, or they could inject malicious headers that could be used to deliver spam or phishing content through the site's email infrastructure.
The vulnerability aligns with CWE-115 which describes improper handling of encoding, and represents a classic example of header injection in email systems. From an att&ck framework perspective, this vulnerability maps to technique T1190 - Exploit Public-Facing Application and T1078 - Valid Accounts, as it allows attackers to leverage existing comment functionality to manipulate email delivery. The attack requires no privileged access but relies on the trust model within the application's cookie handling process. Organizations should immediately update to wpDiscuz version 7.6.47 or later which implements proper input sanitization and validation for email headers. Additional mitigations include implementing proper cookie validation, using secure cookie flags, and monitoring for unusual email delivery patterns that could indicate header injection attempts.