Skip to main content

Wpdiscuz EUVDEUVD-2026-11752

| CVE-2026-22215 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-13 VulnCheck
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 16, 2026 - 14:54 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 07:58 euvd
EUVD-2026-11752
Analysis Generated
Mar 13, 2026 - 07:58 vuln.today
CVE Published
Mar 13, 2026 - 01:18 nvd
MEDIUM 4.3

DescriptionCVE.org

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by exploiting the missing CSRF protection in the follows page handler.

AnalysisAI

wpDiscuz before version 7.6.47 contains a cross-site request forgery (CSRF) vulnerability in the getFollowsPage() function that allows unauthenticated attackers to trigger unauthorized actions on behalf of legitimate users without valid nonce validation. An attacker can exploit this by crafting malicious requests to enumerate user follow relationships and manipulate follow data, potentially exposing private social graph information and allowing unauthorized modifications to user follow lists. While the CVSS score of 4.3 indicates low to moderate severity with limited direct impact, the vulnerability requires user interaction (UI:R) but has network-accessible attack surface with no authentication requirement, making it practically exploitable in targeted phishing campaigns.

Technical ContextAI

wpDiscuz is a WordPress plugin that provides discussion and commenting functionality with social features including user following mechanisms. The vulnerability exists in the getFollowsPage() function, which is part of the plugin's AJAX handler for follow-related operations. The root cause falls under CWE-352 (Cross-Site Request Forgery), indicating that the application fails to implement proper CSRF token validation (nonce verification) before processing state-changing requests. WordPress typically protects against CSRF through wp_nonce_field() and wp_verify_nonce() functions, but the affected code path bypasses these security checks. The follows functionality likely interacts with user metadata storage and relationship tables in the WordPress database, making improper access control particularly concerning for privacy-sensitive follow/unfollow relationships.

RemediationAI

The primary remediation is to upgrade wpDiscuz to version 7.6.47 or later immediately via the WordPress Plugins dashboard (Plugins > Installed Plugins > wpDiscuz > Update). This patch version implements proper nonce validation in the getFollowsPage() function and other affected AJAX handlers. For sites unable to update immediately, temporarily disable the follow feature by adding a code filter to disable the AJAX endpoints, or restrict access to wpDiscuz functionality via WAF rules blocking requests to /wp-admin/admin-ajax.php?action=wpdiscuz_get_follows_page. Additionally, audit user follow relationships for unauthorized changes by reviewing WordPress user metadata and wpDiscuz follow tables for suspicious modifications made during the vulnerability window. Verify that WordPress security headers (CSP, X-Frame-Options) are properly configured to provide defense-in-depth against CSRF-style attacks.

CVE-2020-24186 CRITICAL POC
10.0 Aug 24

A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allo

CVE-2020-13640 CRITICAL POC
9.8 Jun 18

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute

CVE-2024-9488 CRITICAL
9.8 Oct 25

The Comments - wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including

CVE-2026-22192 HIGH
8.8 Mar 13

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site script

CVE-2023-47775 HIGH
8.8 Nov 22

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments - wpDiscuz plugin <= 7.6.11 versions. Rated hi

CVE-2022-43492 HIGH
8.8 Nov 18

Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch

CVE-2021-24737 MEDIUM POC
4.8 Oct 11

The Comments - wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow mess

CVE-2026-22199 HIGH
8.7 Mar 13

wpDiscuz before version 7.6.47 contains a vote manipulation vulnerability that allows unauthenticated attackers to artif

CVE-2021-24806 MEDIUM POC
4.3 Nov 08

The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could a

CVE-2026-22193 HIGH
8.1 Mar 13

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an SQL injection vulnerabili

CVE-2026-22202 HIGH
8.1 Mar 13

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site request forgery

CVE-2026-22182 HIGH
7.5 Mar 13

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an unauthenticated denial of

Share

EUVD-2026-11752 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy