Skip to main content

Wpdiscuz CVE-2026-22201

| EUVDEUVD-2026-11746 MEDIUM
Use of Less Trusted Source (CWE-348)
2026-03-13 VulnCheck
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 17, 2026 - 20:25 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 07:58 euvd
EUVD-2026-11746
Analysis Generated
Mar 13, 2026 - 07:58 vuln.today
CVE Published
Mar 13, 2026 - 01:18 nvd
MEDIUM 5.3

DescriptionCVE.org

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumvent security controls.

AnalysisAI

wpDiscuz before version 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows unauthenticated attackers to spoof their IP address by manipulating HTTP headers (HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR). This enables circumvention of IP-based rate limiting and ban enforcement mechanisms, allowing attackers to bypass security controls that rely on IP-based detection. The vulnerability has a CVSS score of 5.3 with low attack complexity and no authentication required, making it easily exploitable in network environments.

Technical ContextAI

The vulnerability exists in the wpDiscuz plugin's getIP() function, which improperly validates the source of IP address information by trusting untrusted HTTP headers without verifying their legitimacy. The root cause is classified under CWE-348 (Clipped Characters in Identifiers with Security Implications), which in this context refers to improper handling of user-controllable input headers that should not be trusted for security-critical decisions. The plugin fails to implement proper IP validation by checking whether the X-Forwarded-For and Client-IP headers come from legitimate proxy servers or load balancers, instead accepting any value provided by a client. This is a common misconfiguration in WordPress plugins that do not account for the difference between direct client connections and connections through legitimate reverse proxies. The affected product is wpDiscuz (CPE: cpe:2.3:a:wpdiscuz:wpdiscuz), a WordPress commenting plugin used across thousands of installations.

RemediationAI

The primary remediation is to upgrade wpDiscuz to version 7.6.47 or later immediately, which includes fixes to the getIP() function to properly validate and filter HTTP headers. This update should be applied through the WordPress plugin management dashboard or manually via the official plugin repository. Until patching is feasible, site administrators should implement compensating controls: configure the WordPress site to reject or ignore HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR headers at the web server level unless connections originate from known legitimate proxy infrastructure, implement rate limiting at the reverse proxy or WAF layer rather than relying solely on application-level IP-based controls, enforce additional CAPTCHA or token-based rate limiting on comment submission forms, and monitor comment activity logs for suspicious patterns such as rapid-fire submissions from varied apparent IPs. Sites using a reverse proxy (nginx, Apache mod_proxy, or cloud WAF) should ensure proper configuration to pass only legitimate client IP information and ignore client-supplied headers.

CVE-2020-24186 CRITICAL POC
10.0 Aug 24

A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allo

CVE-2020-13640 CRITICAL POC
9.8 Jun 18

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute

CVE-2024-9488 CRITICAL
9.8 Oct 25

The Comments - wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including

CVE-2026-22192 HIGH
8.8 Mar 13

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site script

CVE-2023-47775 HIGH
8.8 Nov 22

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments - wpDiscuz plugin <= 7.6.11 versions. Rated hi

CVE-2022-43492 HIGH
8.8 Nov 18

Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch

CVE-2021-24737 MEDIUM POC
4.8 Oct 11

The Comments - wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow mess

CVE-2026-22199 HIGH
8.7 Mar 13

wpDiscuz before version 7.6.47 contains a vote manipulation vulnerability that allows unauthenticated attackers to artif

CVE-2021-24806 MEDIUM POC
4.3 Nov 08

The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could a

CVE-2026-22193 HIGH
8.1 Mar 13

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an SQL injection vulnerabili

CVE-2026-22202 HIGH
8.1 Mar 13

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site request forgery

CVE-2026-22182 HIGH
7.5 Mar 13

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an unauthenticated denial of

Share

CVE-2026-22201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy