プラットフォーム
wordpress
コンポーネント
wpdiscuz
修正版
7.6.47
CVE-2026-22202 describes a cross-site request forgery (CSRF) vulnerability discovered in wpDiscuz, a popular WordPress comment system plugin. This flaw allows an attacker to delete all comments associated with a specific email address by crafting a malicious GET request, bypassing standard CSRF protections. The vulnerability impacts versions of wpDiscuz prior to 7.6.47, and a patch has been released to address the issue.
The primary impact of this vulnerability is the unauthorized deletion of comments within the wpDiscuz system. An attacker can embed a malicious URL, containing a valid HMAC key, within an image tag or other resource on a website. When a user with an account in the wpDiscuz system visits this page, the crafted request will be executed, leading to the permanent deletion of all comments associated with their email address. This can severely disrupt discussions, remove valuable user-generated content, and potentially damage the reputation of the website. While not directly leading to system compromise, the loss of data and potential for targeted attacks against specific users represents a significant risk.
CVE-2026-22202 was publicly disclosed on 2026-03-13. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively simple nature of CSRF exploitation, it is reasonable to assume that attackers may develop and deploy exploits in the future, particularly targeting sites running vulnerable versions of wpDiscuz.
Websites utilizing the wpDiscuz comment system plugin, particularly those running versions prior to 7.6.47, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially be leveraged to target others.
• wordpress / composer / npm:
grep -r 'deletecomments' /var/www/html/wp-content/plugins/wpdiscuz/• wordpress / composer / npm:
wp plugin list | grep wpdiscuz• wordpress / composer / npm:
wp plugin update wpdiscuz• generic web:
Inspect website source code for embedded URLs containing deletecomments and a valid HMAC key.
disclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-22202 is to immediately upgrade the wpDiscuz plugin to version 7.6.47 or later. This patched version includes fixes to prevent the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing the deletecomments action with a valid HMAC key. Additionally, carefully review any third-party plugins or themes that interact with wpDiscuz to ensure they are not introducing further vulnerabilities. After upgrading, verify the fix by attempting to trigger the comment deletion action through a crafted URL – it should be blocked or fail.
wpDiscuzプラグインをバージョン7.6.47以降にアップデートしてください。このバージョンは、確認なしにコメントを削除できるCSRF脆弱性を修正しています。アップデートはWordPress管理画面から実行できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-22202 is a cross-site request forgery vulnerability in wpDiscuz versions 0–7.6.47, allowing attackers to delete comments associated with an email address.
You are affected if you are using wpDiscuz versions prior to 7.6.47. Upgrade immediately to mitigate the risk.
Upgrade the wpDiscuz plugin to version 7.6.47 or later. Consider WAF rules as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability is considered likely to be targeted.
Refer to the official wpDiscuz website and WordPress plugin repository for updates and advisories related to CVE-2026-22202.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。