CVE-2026-22215

MEDIUM

wpDiscuz <7.6.47 - CSRF

Title source: llm

Description

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by exploiting the missing CSRF protection in the follows page handler.

References (3)

[Product] https://wordpress.org/plugins/wpdiscuz/#developers

[Product] https://wordpress.org/plugins/wpdiscuz/

[Third Party Advisory] https://www.vulncheck.com/advisories/wpdiscuz-before-missing-csrf-protection-on-wpdgetfollowspage

Scores

CVSS v3 4.3

EPSS 0.0002

EPSS Percentile 6.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (3)

gVectors/wpDiscuz < 7.6.47

gvectors/wpdiscuz < 7.6.47

gVectors/wpDiscuz 7.6.47

Published Mar 13, 2026

Tracked Since Mar 14, 2026