CVE-2026-22182

wpDiscuz before 7.6.47 - Unauthenticated Email Notification Flood via wpdCheckNotificationType

CVSS 8.7 HIGHEPSS 0.5%CWE-862

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.7EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

13 mar 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Productos afectados

gVectors · wpDiscuz

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://wordpress.org/plugins/wpdiscuz/https://wordpress.org/plugins/wpdiscuz/#developers https://www.vulncheck.com/advisories/wpdiscuz-before-unauthenticated-email-notification-flood-via-wpdchecknotificationtype