Plateforme
wordpress
Composant
wpdiscuz
Corrigé dans
7.6.47
CVE-2026-22202 describes a cross-site request forgery (CSRF) vulnerability discovered in wpDiscuz, a popular WordPress comment system plugin. This flaw allows an attacker to delete all comments associated with a specific email address by crafting a malicious GET request, bypassing standard CSRF protections. The vulnerability impacts versions of wpDiscuz prior to 7.6.47, and a patch has been released to address the issue.
The primary impact of this vulnerability is the unauthorized deletion of comments within the wpDiscuz system. An attacker can embed a malicious URL, containing a valid HMAC key, within an image tag or other resource on a website. When a user with an account in the wpDiscuz system visits this page, the crafted request will be executed, leading to the permanent deletion of all comments associated with their email address. This can severely disrupt discussions, remove valuable user-generated content, and potentially damage the reputation of the website. While not directly leading to system compromise, the loss of data and potential for targeted attacks against specific users represents a significant risk.
CVE-2026-22202 was publicly disclosed on 2026-03-13. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively simple nature of CSRF exploitation, it is reasonable to assume that attackers may develop and deploy exploits in the future, particularly targeting sites running vulnerable versions of wpDiscuz.
Websites utilizing the wpDiscuz comment system plugin, particularly those running versions prior to 7.6.47, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially be leveraged to target others.
• wordpress / composer / npm:
grep -r 'deletecomments' /var/www/html/wp-content/plugins/wpdiscuz/• wordpress / composer / npm:
wp plugin list | grep wpdiscuz• wordpress / composer / npm:
wp plugin update wpdiscuz• generic web:
Inspect website source code for embedded URLs containing deletecomments and a valid HMAC key.
disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-22202 is to immediately upgrade the wpDiscuz plugin to version 7.6.47 or later. This patched version includes fixes to prevent the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing the deletecomments action with a valid HMAC key. Additionally, carefully review any third-party plugins or themes that interact with wpDiscuz to ensure they are not introducing further vulnerabilities. After upgrading, verify the fix by attempting to trigger the comment deletion action through a crafted URL – it should be blocked or fail.
Mettez à jour le plugin wpDiscuz à la version 7.6.47 ou supérieure. Cette version corrige la vulnérabilité CSRF qui permet la suppression de commentaires sans confirmation. La mise à jour peut être effectuée depuis le tableau de bord d'administration de WordPress.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-22202 is a cross-site request forgery vulnerability in wpDiscuz versions 0–7.6.47, allowing attackers to delete comments associated with an email address.
You are affected if you are using wpDiscuz versions prior to 7.6.47. Upgrade immediately to mitigate the risk.
Upgrade the wpDiscuz plugin to version 7.6.47 or later. Consider WAF rules as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability is considered likely to be targeted.
Refer to the official wpDiscuz website and WordPress plugin repository for updates and advisories related to CVE-2026-22202.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.