Platform
wordpress
Component
wpdiscuz
Fixed in
7.6.47
CVE-2026-22215 is a cross-site request forgery (CSRF) vulnerability discovered in the wpDiscuz plugin for WordPress. This flaw allows attackers to trigger unauthorized actions, specifically manipulating user follow relationships, without proper nonce validation. The vulnerability affects versions of wpDiscuz prior to 7.6.47, and a patch is available in version 7.6.47.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to manipulate user follow data within the wpDiscuz plugin. An attacker could craft malicious requests to add or remove users from follow lists, potentially impacting the plugin's social features and user experience. While the vulnerability doesn't directly lead to data exfiltration or system compromise, it can be leveraged to disrupt the plugin's functionality and potentially be chained with other vulnerabilities for more severe consequences. The lack of CSRF protection in the getFollowsPage() function is the root cause, allowing attackers to forge requests as if they originated from an authenticated user.
CVE-2026-22215 was publicly disclosed on 2026-03-13. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is currently pending evaluation. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-22215 is to immediately upgrade the wpDiscuz plugin to version 7.6.47 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter requests to the getFollowsPage() endpoint, specifically looking for missing or invalid CSRF tokens. Additionally, ensure that all users are educated about the risks of clicking on suspicious links or visiting untrusted websites, as this can facilitate CSRF attacks. After upgrading, verify the fix by attempting to trigger a follow action via a crafted URL and confirming that it requires authentication.
Update the wpDiscuz plugin to version 7.6.47 or higher. This version fixes the CSRF vulnerability in the getFollowsPage() function. The update can be performed from the WordPress admin panel, in the plugins section.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22215 is a cross-site request forgery (CSRF) vulnerability affecting wpDiscuz versions 0–7.6.47, allowing attackers to manipulate user follow data.
You are affected if you are using wpDiscuz version 7.6.47 or earlier. Upgrade to 7.6.47 to mitigate the risk.
Upgrade the wpDiscuz plugin to version 7.6.47 or later. As a temporary workaround, implement a WAF rule to filter requests to the vulnerable endpoint.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official wpDiscuz website or WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.