Home / Vulnerability Intelligence / CVE-2026-22202

CVE-2026-22202 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 13, 2026

wpDiscuz - Cross-Site Request Forgery

Published: March 13, 2026Updated: March 13, 2026Remote Exploitable

Overview

wpDiscuz before 7.6.47 contains a cross-site request forgery caused by lack of POST-based CSRF protection in deletecomments action, letting attackers delete all comments associated with an email via crafted GET requests.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers can permanently delete all comments linked to an email address without user confirmation.

Mitigation

Update to version 7.6.47 or later.

References

https://wordpress.org/plugins/wpdiscuz/
https://wordpress.org/plugins/wpdiscuz/#developers
https://www.vulncheck.com/advisories/wpdiscuz-before-destructive-get-action-deletes-all-comments-by-email

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-22202
Severity: High
CVSS Score: 8.1
Type: cross_site_request_forgery
Status: new

CWE

CWE-352

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H