CVE-2026-22202
Published: 13 March 2026
Summary
CVE-2026-22202 is a high-severity CSRF (CWE-352) vulnerability in Gvectors Wpdiscuz. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the CSRF flaw in wpDiscuz by requiring timely patching to version 7.6.47 or later, which implements proper CSRF protections.
Enforces session authenticity mechanisms such as anti-CSRF tokens to prevent forged GET requests from triggering comment deletions.
Validates information inputs at web endpoints to reject unauthorized or improperly formatted HMAC-keyed GET requests for destructive actions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF flaw in public-facing WordPress plugin directly enables exploitation of web application to perform unauthorized actions (comment deletion).
NVD Description
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in…
more
image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection.
Deeper analysisAI
CVE-2026-22202 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting the wpDiscuz WordPress plugin in versions prior to 7.6.47. The flaw enables attackers to delete all comments associated with a specific email address by crafting a malicious GET request that includes a valid HMAC key. This request lacks user confirmation or POST-based CSRF protection, making it exploitable through embedded resources such as image tags.
Attackers with network access can exploit this vulnerability without privileges (PR:N), though it requires user interaction (UI:R), such as a victim visiting a malicious webpage. By embedding the deletecomments action URL in images or other resources, attackers can trigger permanent deletion of all comments linked to the victim's email address upon page load. The vulnerability yields high integrity (I:H) and availability (A:H) impacts with no confidentiality effects, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).
Mitigation involves updating wpDiscuz to version 7.6.47 or later, as indicated by the vulnerability's scope to prior versions. Relevant advisories, including the VulnCheck report at https://www.vulncheck.com/advisories/wpdiscuz-before-destructive-get-action-deletes-all-comments-by-email, detail the issue, while the official plugin pages at https://wordpress.org/plugins/wpdiscuz/ and https://wordpress.org/plugins/wpdiscuz/#developers provide access to patches and developer resources.
Details
- CWE(s)