Description
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by exploiting the missing CSRF protection in the follows page handler.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Patch
AI Analysis

Impact

The wpDiscuz plugin for WordPress before version 7.6.47 contains a cross‑site request forgery (CSRF) vulnerability in the getFollowsPage() function. Attackers can craft malicious requests that bypass nonce validation, allowing them to enumerate follow relationships and manipulate user follow data without authorization. This flaw can compromise the integrity of social interactions on a WordPress site by giving attackers the ability to alter user follow links.

Affected Systems

Vendor gVectors provides the wpDiscuz plugin for WordPress. The vulnerability affects all releases of wpDiscuz prior to version 7.6.47. The relevant CPE identifier is cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*.

Risk and Exploitability

The flaw has a CVSS score of 5.3, indicating medium severity, and an EPSS score of less than 1%, suggesting a low probability of exploitation. It is not listed in CISA’s KEV catalog. The likely attack vector is a CSRF attack where a victim is tricked into visiting a malicious URL that triggers the vulnerable endpoint. Because the flaw requires that a victim’s browser be authenticated to the site, the impact is limited to accounts that have already logged in, but it still permits unauthorized modification of follow data.

Generated by OpenCVE AI on March 17, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch v7.6.47 or newer.

Generated by OpenCVE AI on March 17, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by exploiting the missing CSRF protection in the follows page handler.
Title wpDiscuz before 7.6.47 - Missing CSRF Protection on wpdGetFollowsPage
First Time appeared Gvectors
Gvectors wpdiscuz
Weaknesses CWE-352
CPEs cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
Vendors & Products Gvectors
Gvectors wpdiscuz
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpdiscuz
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-13T14:14:23.315Z

Reserved: 2026-01-06T16:47:17.187Z

Link: CVE-2026-22215

cve-icon Vulnrichment

Updated: 2026-03-13T14:14:19.044Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:11.440

Modified: 2026-03-17T11:44:28.693

Link: CVE-2026-22215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:50Z

Weaknesses