CVE-2026-22215 | THREATINT

Description

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by exploiting the missing CSRF protection in the follows page handler.

PUBLISHED Reserved 2026-01-06 | Published 2026-03-13 | Updated 2026-03-13 | Assigner VulnCheck

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Problem types

Cross-Site Request Forgery (CSRF)

Product status

Default status

unaffected

Any version before 7.6.47

affected

7.6.47

unaffected

Credits

Scott Moore - VulnCheck finder

References

wordpress.org/plugins/wpdiscuz/ (wpDiscuz Changelog) patch

wordpress.org/plugins/wpdiscuz/ (wpDiscuz) product

www.vulncheck.com/...ng-csrf-protection-on-wpdgetfollowspage (VulnCheck Advisory: wpDiscuz before 7.6.47 - Missing CSRF Protection on wpdGetFollowsPage) third-party-advisory

cve.org (CVE-2026-22215)

nvd.nist.gov (CVE-2026-22215)

Download JSON