CVE-2026-22199 is a vulnerability in the wpDiscuz plugin for WordPress, specifically versions before 7.6.47, that enables attackers to manipulate comment votes by bypassing authentication and rate limiting mechanisms. The vulnerability arises because attackers can request fresh nonces from the unauthenticated wpdGetNonce endpoint, which are normally used to validate legitimate voting actions. Additionally, the plugin's rate limiting can be circumvented by varying client-controlled HTTP headers such as User-Agent, allowing attackers to reset or evade vote limits. Attackers can further amplify their impact by rotating IP addresses or manipulating reverse proxy headers, enabling multiple fraudulent votes to be cast. This results in vote manipulation that can distort community feedback and user trust. The vulnerability requires no authentication or user interaction, making it easier to exploit remotely. The CVSS 4.0 score of 6.9 reflects a medium severity, with network attack vector, low complexity, no privileges or user interaction needed, and limited impact on integrity due to vote manipulation. No known exploits have been reported in the wild yet. The vulnerability highlights weaknesses in nonce issuance and rate limiting design in wpDiscuz, which is widely used for enhancing WordPress comment systems.

The primary impact of CVE-2026-22199 is the integrity compromise of comment voting systems on websites using vulnerable versions of wpDiscuz. Attackers can artificially inflate or deflate comment votes, misleading users and administrators about community sentiment or content popularity. This can undermine trust in online discussions, skew moderation decisions, and potentially influence public opinion or product reputations. For e-commerce or review sites using wpDiscuz votes as part of their feedback mechanisms, this could lead to reputational damage or financial loss. While the vulnerability does not directly affect confidentiality or availability, the manipulation of voting data can have significant indirect consequences. Organizations relying on wpDiscuz for user engagement or content validation are at risk of data integrity issues and loss of user confidence. The ease of exploitation without authentication or user interaction increases the likelihood of automated abuse or large-scale vote manipulation campaigns.

To mitigate CVE-2026-22199, organizations should promptly update wpDiscuz to version 7.6.47 or later once the patch is released by gVectors. Until then, administrators can implement stricter server-side nonce validation to ensure nonces are only issued to authenticated or verified users. Enhancing rate limiting mechanisms to consider multiple headers and IP addresses more robustly can reduce the risk of evasion via User-Agent or proxy header manipulation. Web application firewalls (WAFs) can be configured to detect and block suspicious patterns such as rapid nonce requests or unusual header variations. Monitoring comment voting patterns for anomalies, such as sudden vote spikes or repeated votes from similar IP ranges, can help detect exploitation attempts. Disabling or restricting access to the wpdGetNonce endpoint for unauthenticated users may also reduce attack surface. Finally, educating site administrators about this vulnerability and encouraging timely plugin updates is critical for effective defense.