Primary

Context

wpDiscuz Shortcode Injection Vulnerability

Vulnerability

Patched

A shortcode injection vulnerability has been identified in wpDiscuz versions prior to 7.6.47. This vulnerability allows attackers to execute arbitrary shortcodes by injecting them into comment content, which is then processed server-side through the WpdiscuzHelperEmail class. The injection occurs via email notifications, where shortcodes like [contact-form-7] or [user_meta] can be executed when the comments are processed through do_shortcode() before being sent via wp_mail().

Impact

Exploitation of this vulnerability allows for server-side execution of injected shortcodes, which could be used to manipulate comment functionality or access user metadata, depending on the shortcode executed.

Added: Mar 13, 2026, 8:14 PM

Updated: Mar 13, 2026, 8:14 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

7.7

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

7.7

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

wpDiscuz Shortcode Injection Vulnerability

Vulnerability

Impact

Affected Products

AdvancedCoding wpDiscuz

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating