CVE-2026-22202 in wpDiscuz
Summary
by MITRE • 03/13/2026
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The wpDiscuz plugin for wordpress represents a widely used commenting system that has been identified with a critical cross-site request forgery vulnerability in versions prior to 7.6.47. This vulnerability stems from the improper validation of requests within the comment management functionality, specifically during the deletion process. The flaw allows attackers to execute unauthorized actions against user comments by exploiting the absence of proper request verification mechanisms. The vulnerability is particularly dangerous because it leverages the legitimate HMAC key validation system that is normally used for authenticating administrative actions, thereby bypassing standard security controls that would typically prevent unauthorized modifications.
The technical implementation of this vulnerability involves the exploitation of the deletecomments action endpoint which accepts GET requests containing a valid HMAC key. This design flaw enables attackers to construct malicious URLs that when loaded by users, automatically trigger comment deletion operations. The attack vector becomes particularly insidious when the malicious URLs are embedded within image tags or other web resources, allowing the deletion to occur silently in the background without any user interaction or confirmation prompts. This approach bypasses traditional POST-based CSRF protection mechanisms that would normally require users to submit forms or click through confirmation dialogs. The vulnerability is classified under CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications.
The operational impact of this vulnerability extends beyond simple comment deletion, as it represents a complete compromise of user data integrity within the commenting system. Attackers can target specific email addresses and delete all associated comments, potentially disrupting user engagement, removing valuable content, and undermining the trust users place in the commenting platform. The permanent nature of these deletions without user confirmation means that victims may lose significant amounts of content that was previously submitted and potentially moderated. This vulnerability also creates opportunities for more sophisticated attacks where attackers might use the comment deletion capability as part of broader social engineering campaigns or to manipulate content visibility and user experience within the wordpress environment.
Organizations and users affected by this vulnerability should immediately upgrade to wpDiscuz version 7.6.47 or later, which implements proper CSRF protection mechanisms including request validation and confirmation requirements for comment deletion operations. Additional mitigations include implementing proper input validation for all API endpoints, enforcing strict authentication requirements for administrative actions, and deploying web application firewalls that can detect and block suspicious GET request patterns targeting administrative functions. The vulnerability demonstrates the importance of implementing robust CSRF protection even for systems that rely on HMAC-based authentication, as the presence of valid authentication tokens does not inherently guarantee that requests are legitimate or authorized. Security teams should also consider implementing monitoring for unusual patterns of comment deletion activity and ensure that all administrative endpoints require proper verification before executing potentially destructive operations. This vulnerability aligns with ATT&CK technique T1213 which involves data manipulation through unauthorized access to administrative functions, emphasizing the need for comprehensive protection of privileged operations within web applications.