CVE-2026-22199

Medium CVSS: 6.9

wpDiscuz before 7.6.47 contains a vote manipulation vulnerability that allows attackers to manipulate comment votes by obtaining fresh nonces and bypassing rate limiting through client-controlled headers. Attackers can vary User-Agent headers to reset rate limits, request nonces from the unauthenticated wpdGetNonce endpoint, and vote multiple times using IP rotation or reverse proxy header manipulation.

Vendor

Gvectors

Product

Wpdiscuz

CWE

CWE-290

Yayın Tarihi

2026-03-13 19:54:09

Güncelleme

2026-03-17 20:26:29

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-290 Wpdiscuz MEDIUM Gvectors 2026

Referanslar

https://wordpress.org/plugins/wpdiscuz/ https://wordpress.org/plugins/wpdiscuz/#developers https://www.vulncheck.com/advisories/wpdiscuz-before-vote-manipulation-via-nonce-oracle-and-ip-rotation

Benzer Kayıtlar

Medium

CVE-2026-22215

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows…

Medium

CVE-2026-22216

wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe…

Medium

CVE-2026-22209

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators t…

Low

CVE-2026-22210

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code thro…

Medium

CVE-2026-22201

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-…

Medium

CVE-2026-22202

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments…