CVE-2026-22182
HIGH WAF: Low
CVSS 7.5
Published: 2026-03-13
CWE-862 CWE-862
wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.
WAF Coverage Analysis
Missing Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Missing Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| gvectors | wpdiscuz | up to 7.6.47 |
References
- wordpress.org (Product)
- wordpress.org (Product, Release Notes)
- www.vulncheck.com (Third Party Advisory)