CVE-2026-22182
HIGHwpDiscuz < 7.6.47 - Unauthenticated Denial of Service via Notification Email Flood
Title source: llmDescription
wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.
References (3)
Core 3
Core References
Product patch
https://wordpress.org/plugins/wpdiscuz/#developers
Product product
https://wordpress.org/plugins/wpdiscuz/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/wpdiscuz-before-unauthenticated-email-notification-flood-via-wpdchecknotificationtype
Scores
CVSS v3
7.5
EPSS
0.0052
EPSS Percentile
40.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
CWE-862
Status
published
Products (3)
gVectors/wpDiscuz
< 7.6.47
gvectors/wpdiscuz
< 7.6.47
gVectors/wpDiscuz
7.6.47
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026