CVE-2026-22182

HIGH

7.5

Descripcion

wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.

Detalles CVE

Puntuacion CVSS v3.17.5

SeveridadHIGH

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado3/13/2026

Ultima modificacion3/17/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

gvectors:wpdiscuz

Debilidades (CWE)

CWE-862CWE-770CWE-862

Referencias

https://wordpress.org/plugins/wpdiscuz/(disclosure@vulncheck.com)

https://wordpress.org/plugins/wpdiscuz/#developers(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/wpdiscuz-before-unauthenticated-email-notification-flood-via-wpdchecknotificationtype(disclosure@vulncheck.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.