CVE-2026-22215

MEDIUM 4.3

wpDiscuz before 7.6.47 - Missing CSRF Protection on wpdGetFollowsPage

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by exploiting the missing CSRF protection in the follows page handler.

CWE	CWE-352
Vendor	gvectors
Product	wpdiscuz
Published	Mar 13, 2026
Last Updated	Mar 13, 2026

Stay Ahead of the Next One

Get instant alerts for gvectors wpdiscuz

Be the first to know when new medium vulnerabilities affecting gvectors wpdiscuz are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

gVectors / wpDiscuz

0 < 7.6.47

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordpress.org: https://wordpress.org/plugins/wpdiscuz/#developers wordpress.org: https://wordpress.org/plugins/wpdiscuz/ vulncheck.com: https://www.vulncheck.com/advisories/wpdiscuz-before-missing-csrf-protection-on-wpdgetfollowspage

Credits

Scott Moore - VulnCheck