Primary

Context

wpDiscuz Cross-Site Request Forgery Vulnerability Allowing Comment Deletion

Vulnerability

Patched

A cross-site request forgery (CSRF) vulnerability has been identified in the wpDiscuz WordPress plugin, affecting versions prior to 7.6.47. This vulnerability allows attackers to delete all comments associated with a specific email address by sending a crafted GET request that includes a valid HMAC key. The deletion action can be embedded in image tags or other resources, enabling comments to be permanently removed without any user confirmation or the protection typically offered by POST-based CSRF safeguards.

Impact

Exploitation of this vulnerability leads to the unauthorized deletion of comments, causing potential loss of important user engagement and feedback.

Added: Mar 13, 2026, 8:10 PM

Updated: Mar 13, 2026, 8:10 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.6

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.6

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

wpDiscuz Cross-Site Request Forgery Vulnerability Allowing Comment Deletion

Vulnerability

Impact

Affected Products

AdvancedCoding wpDiscuz

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating