HIGHCVE-2026-22182Published 2026-03-13Modified 2026-03-13CNA VulnCheck

CVE-2026-22182: wpDiscuz before 7.6.47 - Unauthenticated Email Notification Flood via wpdCheckNotificationType

wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 7.6.47
Affected Products: 1

Fix available

7.6.47

Patch commits

wpDiscuz Changelog

Affected packages

gVectors / wpDiscuz
< 7.6.47 (from 0)
Fixed in 7.6.47

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

wpDiscuz Changelog
wpDiscuz
VulnCheck Advisory: wpDiscuz before 7.6.47 - Unauthenticated Email Notification Flood via wpdCheckNotificationType

Metrics

Fix available