CVE-2026-22182

HIGH

7.5

Beschreibung

wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.

CVE Details

CVSS v3.1 Bewertung7.5

SchweregradHIGH

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht3/13/2026

Zuletzt geandert3/17/2026

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

gvectors:wpdiscuz

Schwachen (CWE)

CWE-862CWE-770CWE-862

Referenzen

https://wordpress.org/plugins/wpdiscuz/(disclosure@vulncheck.com)

https://wordpress.org/plugins/wpdiscuz/#developers(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/wpdiscuz-before-unauthenticated-email-notification-flood-via-wpdchecknotificationtype(disclosure@vulncheck.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.