Description
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection.
Published: 2026-03-13
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Loss (Deletion of Comments via CSRF)
Action: Apply Patch
AI Analysis

Impact

wpDiscuz before version 7.6.47 contains a cross‑site request forgery flaw that enables an attacker to delete all comments associated with a specific email address. This is achieved by crafting a malicious GET request containing a valid HMAC key. When the deletecomments action URL is invoked—such as by embedding it in an image tag or other resource—the request is processed without the typical POST‑based confirmation or CSRF tokens, resulting in permanent removal of the targeted comments. The vulnerability is identified as CWE‑352.

Affected Systems

The affected product is the WordPress plugin wpDiscuz, provided by gVectors. All releases older than 7.6.47 are susceptible; updating to version 7.6.47 or later eliminates the flaw.

Risk and Exploitability

The CVSS score is 6.1 (Medium), and the EPSS score indicates an exploitation probability of less than 1 %. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that an attacker be able to send a crafted HTTP GET request to the target site, which can be performed via a simple browser or embedded resource. Once the attacker supplies the appropriate email address and valid HMAC key, no additional authentication or privileged access is needed, making the attack surface relatively easy for anyone who can predict or obtain a valid key.

Generated by OpenCVE AI on March 17, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wpDiscuz to version 7.6.47 or newer.
  • If an update is not feasible, block the deletecomments GET endpoint using server‑side rules (e.g., .htaccess or firewall).
  • Alternatively, modify the plugin to require POST requests for the deleteaction or to validate a nonce before processing deletions.

Generated by OpenCVE AI on March 17, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection.
Title wpDiscuz before 7.6.47 - Destructive GET Action Deletes All Comments by Email
First Time appeared Gvectors
Gvectors wpdiscuz
Weaknesses CWE-352
CPEs cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
Vendors & Products Gvectors
Gvectors wpdiscuz
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpdiscuz
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-13T16:08:59.351Z

Reserved: 2026-01-06T16:47:17.185Z

Link: CVE-2026-22202

cve-icon Vulnrichment

Updated: 2026-03-13T16:08:56.611Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:10.353

Modified: 2026-03-17T20:24:54.670

Link: CVE-2026-22202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:54Z

Weaknesses