MEDIUM🇵🇱 Wersja polska

CVE-2026-22216

CVSS 6.9v4.0pub. 2026-03-13upd. 2026-03-17

wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Gvectors Wpdiscuz

    APP
    Gvectors
    < 7.6.47
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-22193CRITICAL9.2PL ✓ten sam produkt

SQL Injection w wtyczce WordPress wpDiscuz (getAllSubscriptions)

CVE-2024-9488CRITICAL9.8PL ✓ten sam produkt

Authentication bypass w pluginie wpDiscuz dla WordPress (do wersji 7.6.24)

CVE-2020-24186CRITICAL10.0ten sam produkt

A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, ...

CVE-2020-13640CRITICAL9.8ten sam produkt

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers ...

CVE-2026-22182HIGH8.7ten sam produkt

wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users...