7.6.47
CVE-2026-22202 describes a cross-site request forgery (CSRF) vulnerability discovered in wpDiscuz, a popular WordPress comment system plugin. This flaw allows an attacker to delete all comments associated with a specific email address by crafting a malicious GET request, bypassing standard CSRF protections. The vulnerability impacts versions of wpDiscuz prior to 7.6.47, and a patch has been released to address the issue.
The primary impact of this vulnerability is the unauthorized deletion of comments within the wpDiscuz system. An attacker can embed a malicious URL, containing a valid HMAC key, within an image tag or other resource on a website. When a user with an account in the wpDiscuz system visits this page, the crafted request will be executed, leading to the permanent deletion of all comments associated with their email address. This can severely disrupt discussions, remove valuable user-generated content, and potentially damage the reputation of the website. While not directly leading to system compromise, the loss of data and potential for targeted attacks against specific users represents a significant risk.
CVE-2026-22202 was publicly disclosed on 2026-03-13. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively simple nature of CSRF exploitation, it is reasonable to assume that attackers may develop and deploy exploits in the future, particularly targeting sites running vulnerable versions of wpDiscuz.
Websites utilizing the wpDiscuz comment system plugin, particularly those running versions prior to 7.6.47, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially be leveraged to target others.
• wordpress / composer / npm:
grep -r 'deletecomments' /var/www/html/wp-content/plugins/wpdiscuz/• wordpress / composer / npm:
wp plugin list | grep wpdiscuz• wordpress / composer / npm:
wp plugin update wpdiscuz• generic web:
Inspect website source code for embedded URLs containing deletecomments and a valid HMAC key.
disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-22202 is to immediately upgrade the wpDiscuz plugin to version 7.6.47 or later. This patched version includes fixes to prevent the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing the deletecomments action with a valid HMAC key. Additionally, carefully review any third-party plugins or themes that interact with wpDiscuz to ensure they are not introducing further vulnerabilities. After upgrading, verify the fix by attempting to trigger the comment deletion action through a crafted URL – it should be blocked or fail.
将 wpDiscuz 插件更新到 7.6.47 或更高版本。此版本修复了允许在没有确认的情况下删除评论的 CSRF 漏洞。可以通过 WordPress 管理面板进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-22202 is a cross-site request forgery vulnerability in wpDiscuz versions 0–7.6.47, allowing attackers to delete comments associated with an email address.
You are affected if you are using wpDiscuz versions prior to 7.6.47. Upgrade immediately to mitigate the risk.
Upgrade the wpDiscuz plugin to version 7.6.47 or later. Consider WAF rules as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability is considered likely to be targeted.
Refer to the official wpDiscuz website and WordPress plugin repository for updates and advisories related to CVE-2026-22202.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。