wpDiscuz, a WordPress comment plugin, prior to version 7.6.47 contains an unauthenticated denial‑of‑service weakness that allows attackers to trigger an uncontrolled flood of email notifications. The vulnerability is located in the checkNotificationType() function, which is exposed through the wpdiscuz-ajax.php endpoint without requiring any nonce verification, authentication, or rate limiting. When an attacker repeatedly supplies arbitrary postId and comment_id parameters, the plugin sends a large volume of notification emails to all subscribers, exhausting mail server resources and interrupting normal service. This flaw maps to CWE-770 (Excessive Resource Consumption) and CWE-862 (Missing Access Control).

The vulnerability affects the gVectors:wpDiscuz plugin distributed via WordPress. All releases before 7.6.47 are vulnerable. The Common Platform Enumeration for the product is cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*. Administrators using older plugin versions should verify their installation and plan an update.

The flaw has a CVSS score of 8.7, classifying it as high severity. The EPSS score is below 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting that no known weaponised exploit exists. The attack is likely remote and entirely unauthenticated, requiring only the ability to issue HTTP requests to the wpdiscuz-ajax.php endpoint. Because it lacks authentication checks, a threat actor can rapidly flood the system with notification emails, resulting in immediate denial of service to legitimate users and potential reputational damage.