CVE-2026-22216 in wpDiscuz
Summary
by MITRE • 03/13/2026
wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-22216 affects wpDiscuz versions prior to 7.6.47 and represents a critical missing rate limiting issue within the WordPress comment management plugin. This flaw exists in the wpdAddSubscription handler located within the class.WpdiscuzHelperAjax.php file, creating an exploitable pathway for unauthenticated attackers to manipulate the subscription system. The vulnerability stems from insufficient validation and rate limiting mechanisms that should normally restrict the frequency and volume of subscription requests to prevent abuse.
The technical implementation of this vulnerability allows attackers to leverage LIKE wildcard characters within their subscription queries to target multiple email addresses simultaneously. This exploitation technique enables malicious actors to craft requests that match patterns against the email database, potentially generating notification emails to numerous victim accounts without proper authorization. The absence of proper rate limiting means that attackers can flood the system with subscription requests at an unprecedented rate, overwhelming the notification infrastructure and potentially causing denial of service conditions for legitimate users.
From an operational impact perspective, this vulnerability creates significant security and privacy risks for WordPress site administrators and their users. The ability to subscribe arbitrary email addresses to post notifications means that attackers can harvest email addresses from the system or target specific users for unwanted communications. This functionality can be leveraged for spam campaigns, social engineering attacks, or to disrupt normal communication patterns for users who receive unsolicited notification emails. The vulnerability also represents a potential vector for account enumeration attacks, where attackers can systematically discover valid email addresses within the system.
The exploitation of this vulnerability aligns with several cybersecurity frameworks and threat models, particularly those addressing weak access controls and insufficient rate limiting mechanisms. This issue maps directly to CWE-307 - Improper Restriction of Excessive Authentication Attempts and CWE-770 - Allocation of Resources Without Limits or Throttling, both of which are fundamental security principles that should be implemented in web applications. The attack pattern demonstrates characteristics consistent with the ATT&CK framework's T1566.001 - Phishing: Spearphishing Attachment, where the notification spam could serve as a delivery mechanism for additional malicious payloads.
Mitigation strategies for this vulnerability should focus on implementing robust rate limiting mechanisms at the application level, particularly for the wpdAddSubscription endpoint. Administrators should immediately upgrade to wpDiscuz version 7.6.47 or later, which includes the necessary security patches to address the missing rate limiting controls. Additional protective measures include implementing IP-based rate limiting, requiring CAPTCHA verification for subscription requests, and monitoring for unusual patterns of subscription activity. Network-level firewalls should be configured to limit the number of requests per IP address to the affected endpoint, while application-level logging should be enhanced to detect and alert on suspicious subscription patterns. The implementation of these controls aligns with the principle of least privilege and defense in depth strategies recommended by cybersecurity standards organizations.