CVE-2026-22202 is a medium-severity CSRF vulnerability affecting wpDiscuz, a popular WordPress commenting plugin developed by gVectors. Versions prior to 7.6.47 allow attackers to delete all comments tied to a particular email address by exploiting the deletecomments action endpoint. The vulnerability stems from the fact that this action can be triggered via a GET request that includes a valid HMAC key, which is normally used for authentication or integrity verification. However, the plugin fails to enforce POST-only methods or additional CSRF protections such as anti-CSRF tokens or user confirmation dialogs. Consequently, an attacker can craft a malicious URL embedding the deletecomments action and trick a user into loading it, for example, through an image tag or other resource inclusion in a webpage or email. When the victim’s browser loads this resource, the GET request is sent automatically, causing permanent deletion of the targeted comments without the user’s knowledge or consent. The vulnerability does not require the attacker to have any privileges or the victim to be authenticated, but user interaction (visiting a malicious page) is necessary. The CVSS 4.0 vector indicates network attack vector, low attack complexity, partial attack requirement (user interaction), no privileges required, partial user interaction, and high impact on integrity and availability of data. There are no known exploits in the wild as of the publication date, and no official patches or mitigation instructions have been provided yet. The vulnerability highlights a design flaw in the handling of sensitive actions via GET requests and insufficient CSRF protections in wpDiscuz.

The primary impact of this vulnerability is the unauthorized deletion of user comments associated with specific email addresses on websites using vulnerable versions of wpDiscuz. This can lead to data loss, disruption of community discussions, and damage to the website’s reputation and user trust. For organizations relying on user-generated content for engagement, marketing, or customer support, such deletions could degrade user experience and reduce site credibility. Since the attack can be triggered remotely and without authentication, any visitor to a maliciously crafted page could cause damage, increasing the attack surface. Although the vulnerability does not allow full site compromise or data exfiltration, the integrity and availability of comment data are significantly affected. This may also facilitate further social engineering or phishing attacks by erasing legitimate user feedback or replacing it with malicious content if combined with other vulnerabilities. The medium severity rating reflects the moderate but tangible risk to data integrity and availability without direct impact on confidentiality.

Organizations should upgrade wpDiscuz to version 7.6.47 or later once available, as this is expected to contain fixes for this vulnerability. Until a patch is released, administrators can implement several practical mitigations: 1) Restrict access to the deletecomments endpoint by IP or user role via web application firewall (WAF) rules or server configurations to block unauthorized GET requests. 2) Disable or limit the use of HMAC keys in URLs for sensitive actions, or ensure they are validated with strict nonce or token mechanisms. 3) Implement custom CSRF protections by enforcing POST methods for state-changing actions and requiring user confirmation dialogs before comment deletions. 4) Monitor web server logs for suspicious GET requests containing deletecomments actions and investigate unusual comment deletions promptly. 5) Educate users and administrators about the risks of clicking unknown links or visiting untrusted websites to reduce the likelihood of triggering CSRF attacks. 6) Consider temporarily disabling comment deletion features if feasible until a secure patch is applied. These steps go beyond generic advice by focusing on access control, request validation, and user interaction safeguards specific to this vulnerability.