CVE-2026-22215 is a Cross-Site Request Forgery vulnerability identified in the wpDiscuz WordPress plugin, specifically in versions before 7.6.47. The vulnerability resides in the getFollowsPage() function, which handles user follow relationships but lacks proper nonce validation, a critical security mechanism designed to prevent CSRF attacks. This absence allows attackers to craft malicious HTTP requests that can be executed by authenticated users without their knowledge or consent, thereby triggering unauthorized actions on their behalf. The exploit enables attackers to enumerate follow relationships between users and manipulate follow data, potentially compromising user privacy and trust. The vulnerability requires no authentication or privileges but does require user interaction, such as visiting a maliciously crafted webpage. The CVSS 4.0 base score is 5.3, indicating a medium severity level due to the network attack vector, low complexity, no privileges required, but user interaction needed. No known exploits have been reported in the wild yet. The vulnerability affects the wpDiscuz plugin, which is widely used for enhancing WordPress comment systems, making numerous WordPress sites potentially vulnerable. The lack of nonce validation in a critical function highlights a common security oversight in plugin development. Remediation involves updating to version 7.6.47 or later where nonce validation is implemented to prevent CSRF attacks.

The primary impact of this vulnerability is unauthorized manipulation of user follow data and enumeration of follow relationships, which can lead to privacy violations and potential social engineering or targeted attacks. Attackers can exploit this flaw to alter user interactions and relationships within the commenting system, undermining user trust and the integrity of community engagement. Although it does not directly lead to remote code execution or data exfiltration, the ability to manipulate user data without consent can have reputational damage and compliance implications, especially for sites handling sensitive user information. The vulnerability affects any WordPress site using vulnerable versions of wpDiscuz, which is a popular plugin, thus potentially impacting a large number of websites globally. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in scenarios involving targeted phishing or malicious links. Organizations relying on wpDiscuz for community engagement may face disruptions and loss of user confidence if exploited.

Organizations should immediately update wpDiscuz to version 7.6.47 or later, where the CSRF protection via nonce validation is implemented. If immediate patching is not feasible, administrators should consider disabling the follow feature or restricting access to the getFollowsPage() functionality through web application firewalls or custom access controls. Implementing Content Security Policy (CSP) headers and SameSite cookies can reduce the risk of CSRF attacks by limiting cross-origin requests. Monitoring web server logs for unusual requests to the follows page handler can help detect attempted exploitation. Educating users about phishing risks and avoiding clicking on suspicious links reduces the likelihood of successful user interaction-based attacks. Plugin developers should adopt secure coding practices, including consistent use of nonce validation for all state-changing requests. Regular security audits and vulnerability scanning of WordPress plugins are recommended to identify and remediate similar issues proactively.