CVE-2026-22202
HIGHwpDiscuz < 7.6.47 - Cross-Site Request Forgery via Destructive GET Action
Title source: llmDescription
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection.
References (3)
Core 3
Core References
Product patch
https://wordpress.org/plugins/wpdiscuz/#developers
Product product
https://wordpress.org/plugins/wpdiscuz/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/wpdiscuz-before-destructive-get-action-deletes-all-comments-by-email
Scores
CVSS v3
8.1
EPSS
0.0017
EPSS Percentile
6.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-352
Status
published
Products (3)
gVectors/wpDiscuz
< 7.6.47
gvectors/wpdiscuz
< 7.6.47
gVectors/wpDiscuz
7.6.47
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026