Platform
wordpress
Component
wpdiscuz
Fixed in
7.6.47
CVE-2026-22202 describes a cross-site request forgery (CSRF) vulnerability discovered in wpDiscuz, a popular WordPress comment system plugin. This flaw allows an attacker to delete all comments associated with a specific email address by crafting a malicious GET request, bypassing standard CSRF protections. The vulnerability impacts versions of wpDiscuz prior to 7.6.47, and a patch has been released to address the issue.
The primary impact of this vulnerability is the unauthorized deletion of comments within the wpDiscuz system. An attacker can embed a malicious URL, containing a valid HMAC key, within an image tag or other resource on a website. When a user with an account in the wpDiscuz system visits this page, the crafted request will be executed, leading to the permanent deletion of all comments associated with their email address. This can severely disrupt discussions, remove valuable user-generated content, and potentially damage the reputation of the website. While not directly leading to system compromise, the loss of data and potential for targeted attacks against specific users represents a significant risk.
CVE-2026-22202 was publicly disclosed on 2026-03-13. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively simple nature of CSRF exploitation, it is reasonable to assume that attackers may develop and deploy exploits in the future, particularly targeting sites running vulnerable versions of wpDiscuz.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22202 is to immediately upgrade the wpDiscuz plugin to version 7.6.47 or later. This patched version includes fixes to prevent the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing the deletecomments action with a valid HMAC key. Additionally, carefully review any third-party plugins or themes that interact with wpDiscuz to ensure they are not introducing further vulnerabilities. After upgrading, verify the fix by attempting to trigger the comment deletion action through a crafted URL – it should be blocked or fail.
Update the wpDiscuz plugin to version 7.6.47 or higher. This version fixes the CSRF vulnerability that allows comment deletion without confirmation. The update can be performed from the WordPress admin panel.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22202 is a cross-site request forgery vulnerability in wpDiscuz versions 0–7.6.47, allowing attackers to delete comments associated with an email address.
You are affected if you are using wpDiscuz versions prior to 7.6.47. Upgrade immediately to mitigate the risk.
Upgrade the wpDiscuz plugin to version 7.6.47 or later. Consider WAF rules as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability is considered likely to be targeted.
Refer to the official wpDiscuz website and WordPress plugin repository for updates and advisories related to CVE-2026-22202.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.