CVE-2026-22202
Received Received - Intake
CSRF Vulnerability in wpDiscuz Allows Mass Comment Deletion

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: VulnCheck

Description
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22202
EUVD
EUVD-2026-11747
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gvectors wpdiscuz to 7.6.47 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-22202 is a Cross-Site Request Forgery (CSRF) vulnerability in wpDiscuz versions before 7.6.47. It allows attackers to delete all comments associated with a specific email address by sending a maliciously crafted GET request that includes a valid HMAC key.'}, {'type': 'paragraph', 'content': "The vulnerability exploits the lack of POST-based CSRF protection and absence of user confirmation, enabling attackers to embed the deletecomments action URL in image tags or other resources. This causes permanent deletion of comments without the user's knowledge or interaction."}] [1]

Impact Analysis

This vulnerability can lead to permanent deletion of all comments associated with a targeted email address on a vulnerable wpDiscuz installation.

Since the attack requires no privileges and can be triggered via network with low complexity, it poses a significant risk to the integrity and availability of comment data.

Users may experience loss of important discussion content, which can affect community engagement and trust.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for malicious GET requests targeting the wpDiscuz deletecomments action URL that include a valid HMAC key.'}, {'type': 'paragraph', 'content': 'You can use network traffic analysis tools like tcpdump or Wireshark to capture HTTP GET requests and filter for suspicious URLs containing the deletecomments action.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP GET requests: tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET'"}, {'type': 'list_item', 'content': "Use grep or similar tools on web server logs to search for GET requests containing 'deletecomments' and HMAC keys."}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade wpDiscuz to version 7.6.47 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, consider implementing network-level protections such as blocking or filtering suspicious GET requests that contain the deletecomments action URL with HMAC keys.

Additionally, review and enhance CSRF protections by enforcing POST-based requests for destructive actions and requiring user confirmation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart