CVE-2026-22182

HIGH 7.5

wpDiscuz before 7.6.47 - Unauthenticated Email Notification Flood via wpdCheckNotificationType

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.

CWE	CWE-862
Vendor	gvectors
Product	wpdiscuz
Published	Mar 13, 2026
Last Updated	Mar 13, 2026

Stay Ahead of the Next One

Get instant alerts for gvectors wpdiscuz

Be the first to know when new high vulnerabilities affecting gvectors wpdiscuz are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

gVectors / wpDiscuz

0 < 7.6.47

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordpress.org: https://wordpress.org/plugins/wpdiscuz/#developers wordpress.org: https://wordpress.org/plugins/wpdiscuz/ vulncheck.com: https://www.vulncheck.com/advisories/wpdiscuz-before-unauthenticated-email-notification-flood-via-wpdchecknotificationtype

Credits

Scott Moore - VulnCheck