Cyber Resilience

CVE-2026-22202

MediumPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 6.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 6.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22202 is a medium-severity CSRF (CWE-352) vulnerability in Gvectors Wpdiscuz. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22202 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting the wpDiscuz WordPress plugin in versions prior to 7.6.47. The flaw enables attackers to delete all comments associated with a specific email address by crafting a malicious GET request that includes a valid HMAC key. This request lacks user confirmation or POST-based CSRF protection, making it exploitable through embedded resources such as image tags.

Attackers with network access can exploit this vulnerability without privileges (PR:N), though it requires user interaction (UI:R), such as a victim visiting a malicious webpage. By embedding the deletecomments action URL in images or other resources, attackers can trigger permanent deletion of all comments linked to the victim's email address upon page load. The vulnerability yields high integrity (I:H) and availability (A:H) impacts with no confidentiality effects, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).

Mitigation involves updating wpDiscuz to version 7.6.47 or later, as indicated by the vulnerability's scope to prior versions. Relevant advisories, including the VulnCheck report at https://www.vulncheck.com/advisories/wpdiscuz-before-destructive-get-action-deletes-all-comments-by-email, detail the issue, while the official plugin pages at https://wordpress.org/plugins/wpdiscuz/ and https://wordpress.org/plugins/wpdiscuz/#developers provide access to patches and developer resources.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in…

more

image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF flaw in public-facing WordPress plugin directly enables exploitation of web application to perform unauthorized actions (comment deletion).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-46309Same product: Gvectors Wpdiscuz
CVE-2023-45760Same product: Gvectors Wpdiscuz
CVE-2026-22192Same product: Gvectors Wpdiscuz
CVE-2026-22193Same product: Gvectors Wpdiscuz
CVE-2026-22199Same product: Gvectors Wpdiscuz
CVE-2026-22182Same product: Gvectors Wpdiscuz
CVE-2025-23467Shared CWE-352
CVE-2018-25170Shared CWE-352
CVE-2025-22336Shared CWE-352
CVE-2025-23821Shared CWE-352

Affected Assets

gvectors
wpdiscuz
≤ 7.6.47

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the CSRF flaw in wpDiscuz by requiring timely patching to version 7.6.47 or later, which implements proper CSRF protections.

prevent

Enforces session authenticity mechanisms such as anti-CSRF tokens to prevent forged GET requests from triggering comment deletions.

prevent

Validates information inputs at web endpoints to reject unauthorized or improperly formatted HMAC-keyed GET requests for destructive actions.

References