CVE-2026-22202 is a CSRF vulnerability affecting the wpDiscuz plugin for WordPress versions prior to 7.6.47. The vulnerability allows an attacker to delete all comments linked to a particular email address by crafting a malicious GET request that includes a valid HMAC key. The core issue is that the deletecomments action can be triggered via GET requests embedded in image tags or other HTML elements, bypassing typical CSRF protections that rely on POST requests and user confirmation dialogs. This means an attacker can embed a URL in a webpage or email that, when visited by an authenticated user, causes the deletion of comments without their consent. The attack requires user interaction (visiting a malicious page) but no authentication or elevated privileges, as the HMAC key validation is insufficient to prevent CSRF. The vulnerability impacts the integrity and availability of user-generated content (comments) but does not expose sensitive data or allow site takeover. The CVSS 4.0 vector indicates network attack vector, low attack complexity, partial attack prerequisites, user interaction required, no confidentiality impact, high integrity and availability impact, and no scope change. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of this vulnerability is the unauthorized deletion of user comments associated with specific email addresses, which can lead to loss of valuable user-generated content and damage to community engagement on affected WordPress sites. This undermines the integrity and availability of the comment system, potentially disrupting discussions and user trust. While it does not directly compromise site confidentiality or allow full site control, the ability to delete comments without authorization can be leveraged in targeted harassment campaigns or to censor legitimate feedback. For organizations relying on wpDiscuz for community interaction, this can degrade user experience and harm reputation. The attack requires user interaction but no authentication, increasing the risk of widespread exploitation if attackers distribute malicious links broadly. The lack of POST-based CSRF protections and reliance on a valid HMAC key that can be abused via GET requests makes mitigation urgent to prevent content tampering.

Organizations should immediately update wpDiscuz to version 7.6.47 or later, where this vulnerability is patched. Until the update is applied, administrators can implement web application firewall (WAF) rules to block suspicious GET requests containing the deletecomments action or HMAC parameters. Additionally, disabling or restricting the deletecomments functionality to authenticated users with proper CSRF tokens and enforcing POST-only methods for state-changing actions can mitigate exploitation. Site owners should audit comment deletion logs for suspicious activity and educate users about avoiding clicking untrusted links. Implementing Content Security Policy (CSP) headers to restrict embedding of malicious resources and monitoring for unusual traffic patterns targeting comment deletion endpoints can also help. Finally, plugin developers should adopt secure coding practices that enforce strict CSRF protections and avoid using GET requests for destructive actions.