anonhaven
Ad

CVE-2026-22215

MEDIUM CVSS 4.0: 5.3 EPSS 0.02%
Updated Mar 17, 2026
Gvectors
Parameter Value
CVSS 5.3 (MEDIUM)
Affected Versions before 7.6.47
Fixed In 7.6.47
Type CWE-352 (Cross-Site Request Forgery (CSRF))
Vendor Gvectors
Public PoC No

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by exploiting the missing CSRF protection in the follows page handler.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Passive
Minimal interaction

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-352 Cross-Site Request Forgery (CSRF)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Gvectors Wpdiscuz
cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
 7.6.47

References 3

https://wordpress.org/plugins/wpdiscuz/
disclosure@vulncheck.com
https://wordpress.org/plugins/wpdiscuz/#developers
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/wpdiscuz-before-missing-csrf-protection-on…
disclosure@vulncheck.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-22216

PHP

6.9

CVE-2026-22210

Gvectors

2.1

CVE-2026-22209

Gvectors

5.1

CVE-2026-22204

Gvectors

6.3

CVE-2026-22203

Gvectors

6.9