Vulnerability Description
wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gvectors | Wpdiscuz | < 7.6.47 |
Related Weaknesses (CWE)
References
- https://wordpress.org/plugins/wpdiscuz/Product
- https://wordpress.org/plugins/wpdiscuz/#developersProductRelease Notes
- https://www.vulncheck.com/advisories/wpdiscuz-before-unauthenticated-email-notifThird Party Advisory
FAQ
What is CVE-2026-22182?
CVE-2026-22182 is a vulnerability with a CVSS score of 7.5 (HIGH). wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. A...
How severe is CVE-2026-22182?
CVE-2026-22182 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-22182?
Check the references section above for vendor advisories and patch information. Affected products include: Gvectors Wpdiscuz.