Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by exploiting the missing CSRF protection in the follows page handler.
AnalysisAI
wpDiscuz before version 7.6.47 contains a cross-site request forgery (CSRF) vulnerability in the getFollowsPage() function that allows unauthenticated attackers to trigger unauthorized actions on behalf of legitimate users without valid nonce validation. An attacker can exploit this by crafting malicious requests to enumerate user follow relationships and manipulate follow data, potentially exposing private social graph information and allowing unauthorized modifications to user follow lists. While the CVSS score of 4.3 indicates low to moderate severity with limited direct impact, the vulnerability requires user interaction (UI:R) but has network-accessible attack surface with no authentication requirement, making it practically exploitable in targeted phishing campaigns.
Technical ContextAI
wpDiscuz is a WordPress plugin that provides discussion and commenting functionality with social features including user following mechanisms. The vulnerability exists in the getFollowsPage() function, which is part of the plugin's AJAX handler for follow-related operations. The root cause falls under CWE-352 (Cross-Site Request Forgery), indicating that the application fails to implement proper CSRF token validation (nonce verification) before processing state-changing requests. WordPress typically protects against CSRF through wp_nonce_field() and wp_verify_nonce() functions, but the affected code path bypasses these security checks. The follows functionality likely interacts with user metadata storage and relationship tables in the WordPress database, making improper access control particularly concerning for privacy-sensitive follow/unfollow relationships.
RemediationAI
The primary remediation is to upgrade wpDiscuz to version 7.6.47 or later immediately via the WordPress Plugins dashboard (Plugins > Installed Plugins > wpDiscuz > Update). This patch version implements proper nonce validation in the getFollowsPage() function and other affected AJAX handlers. For sites unable to update immediately, temporarily disable the follow feature by adding a code filter to disable the AJAX endpoints, or restrict access to wpDiscuz functionality via WAF rules blocking requests to /wp-admin/admin-ajax.php?action=wpdiscuz_get_follows_page. Additionally, audit user follow relationships for unauthorized changes by reviewing WordPress user metadata and wpDiscuz follow tables for suspicious modifications made during the vulnerability window. Verify that WordPress security headers (CSP, X-Frame-Options) are properly configured to provide defense-in-depth against CSRF-style attacks.
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allo
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute
The Comments - wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including
Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site script
Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments - wpDiscuz plugin <= 7.6.11 versions. Rated hi
Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch
The Comments - wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow mess
wpDiscuz before version 7.6.47 contains a vote manipulation vulnerability that allows unauthenticated attackers to artif
The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could a
High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an SQL injection vulnerabili
High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site request forgery
High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an unauthenticated denial of
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11752