Vulnerability Description
wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gvectors | Wpdiscuz | < 7.6.47 |
Related Weaknesses (CWE)
References
- https://wordpress.org/plugins/wpdiscuz/Product
- https://wordpress.org/plugins/wpdiscuz/#developersProductRelease Notes
- https://www.vulncheck.com/advisories/wpdiscuz-before-no-rate-limiting-on-subscriThird Party Advisory
FAQ
What is CVE-2026-22216?
CVE-2026-22216 is a vulnerability with a CVSS score of 6.5 (MEDIUM). wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the...
How severe is CVE-2026-22216?
CVE-2026-22216 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-22216?
Check the references section above for vendor advisories and patch information. Affected products include: Gvectors Wpdiscuz.