CVE-2026-22182

wpDiscuz before 7.6.47 - Unauthenticated Email Notification Flood via wpdCheckNotificationType

CVSS 8.7 HIGHEPSS 0.5%CWE-862

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.7EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

13 mar 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Produtos afetados

gVectors · wpDiscuz

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://wordpress.org/plugins/wpdiscuz/https://wordpress.org/plugins/wpdiscuz/#developers https://www.vulncheck.com/advisories/wpdiscuz-before-unauthenticated-email-notification-flood-via-wpdchecknotificationtype