CVE-2026-22216

wpDiscuz before 7.6.47 - No Rate Limiting on Subscription Endpoints with LIKE Wildcard Bypass

Description

wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.

INFO

Published Date :

2026-03-13T01:18:16.708Z

Last Modified :

2026-03-13T14:14:03.341Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2026-22216 vulnerability.

Vendors	Products
Gvectors	Wpdiscuz
Wordpress	Wordpress

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22216.

URL	Resource
https://wordpress.org/plugins/wpdiscuz/
https://wordpress.org/plugins/wpdiscuz/#developers
https://www.vulncheck.com/advisories/wpdiscuz-before-no-rate-limiting-on-subscription-endpoints-with-like-wildcard-bypass

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact