CVE-2026-22182

HIGH

wpDiscuz <7.6.47 - DoS

Title source: llm

Description

wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.

References (3)

[Product] https://wordpress.org/plugins/wpdiscuz/#developers

[Product] https://wordpress.org/plugins/wpdiscuz/

[Third Party Advisory] https://www.vulncheck.com/advisories/wpdiscuz-before-unauthenticated-email-notification-flood-via-wpdchecknotificationtype

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 13.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770 CWE-862

Status published

Products (3)

gVectors/wpDiscuz < 7.6.47

gvectors/wpdiscuz < 7.6.47

gVectors/wpDiscuz 7.6.47

Published Mar 13, 2026

Tracked Since Mar 14, 2026