प्लेटफ़ॉर्म
wordpress
घटक
wpdiscuz
में ठीक किया गया
7.6.47
CVE-2026-22215 is a cross-site request forgery (CSRF) vulnerability discovered in the wpDiscuz plugin for WordPress. This flaw allows attackers to trigger unauthorized actions, specifically manipulating user follow relationships, without proper nonce validation. The vulnerability affects versions of wpDiscuz prior to 7.6.47, and a patch is available in version 7.6.47.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to manipulate user follow data within the wpDiscuz plugin. An attacker could craft malicious requests to add or remove users from follow lists, potentially impacting the plugin's social features and user experience. While the vulnerability doesn't directly lead to data exfiltration or system compromise, it can be leveraged to disrupt the plugin's functionality and potentially be chained with other vulnerabilities for more severe consequences. The lack of CSRF protection in the getFollowsPage() function is the root cause, allowing attackers to forge requests as if they originated from an authenticated user.
CVE-2026-22215 was publicly disclosed on 2026-03-13. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is currently pending evaluation. It is not listed on the CISA KEV catalog.
Websites utilizing the wpDiscuz plugin, particularly those with active user communities and social features, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches.
• wordpress / composer / npm:
grep -r "getFollowsPage()" /var/www/html/wp-content/plugins/wpdiscuz/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wpdiscuz/getFollowsPage.php | grep -i 'server'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (5% शतमक)
CISA SSVC
CVSS वेक्टर
The recommended mitigation for CVE-2026-22215 is to immediately upgrade the wpDiscuz plugin to version 7.6.47 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter requests to the getFollowsPage() endpoint, specifically looking for missing or invalid CSRF tokens. Additionally, ensure that all users are educated about the risks of clicking on suspicious links or visiting untrusted websites, as this can facilitate CSRF attacks. After upgrading, verify the fix by attempting to trigger a follow action via a crafted URL and confirming that it requires authentication.
Actualice el plugin wpDiscuz a la versión 7.6.47 o superior. Esta versión corrige la vulnerabilidad CSRF en la función getFollowsPage(). La actualización se puede realizar desde el panel de administración de WordPress, en la sección de plugins.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-22215 is a cross-site request forgery (CSRF) vulnerability affecting wpDiscuz versions 0–7.6.47, allowing attackers to manipulate user follow data.
You are affected if you are using wpDiscuz version 7.6.47 or earlier. Upgrade to 7.6.47 to mitigate the risk.
Upgrade the wpDiscuz plugin to version 7.6.47 or later. As a temporary workaround, implement a WAF rule to filter requests to the vulnerable endpoint.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official wpDiscuz website or WordPress plugin repository for the latest security advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।