CVE-2026-22216

Medium CVSS: 6.9

wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.

Vendor

Gvectors

Product

Wpdiscuz

CWE

CWE-799

Yayın Tarihi

2026-03-13 19:54:11

Güncelleme

2026-03-17 11:43:07

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-799 Wpdiscuz MEDIUM Gvectors 2026

Referanslar

https://wordpress.org/plugins/wpdiscuz/ https://wordpress.org/plugins/wpdiscuz/#developers https://www.vulncheck.com/advisories/wpdiscuz-before-no-rate-limiting-on-subscription-endpoints-with-like-wildcard-bypass

Benzer Kayıtlar

Medium

CVE-2026-22215

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows…

Medium

CVE-2026-22209

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators t…

Low

CVE-2026-22210

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code thro…

Medium

CVE-2026-22201

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-…

Medium

CVE-2026-22202

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments…

Medium

CVE-2026-22203

wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expo…