CVE-2026-22202

Name of the Vulnerable Software and Affected Versions wpDiscuz versions prior to 7.6.47

Description The software contains a cross-site request forgery issue that allows attackers to delete all comments associated with an email address. This is achieved by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection. The vulnerable API endpoint is /deletecomments. The HMAC key is used to validate the request.

Recommendations Update wpDiscuz to version 7.6.47 or later.