Description
wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.
Published: 2026-03-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Subscription Abuse
Action: Patch Now
AI Analysis

Impact

wpDiscuz is a WordPress comment plugin that allows real‑time notifications. A missing rate limiting vulnerability allows any unauthenticated user to send POST requests to the wpdAddSubscription endpoint. By exploiting LIKE wildcard characters in the subscription query, an attacker can subscribe multiple email addresses, including those of other users, and trigger notifications to those accounts. The result is mass spam or phishing notifications that could mislead or overwhelm victims. This flaw is categorized as CWE‑799.

Affected Systems

The vulnerability is present in the wpDiscuz plugin for WordPress installations running any version earlier than 7.6.47. The affected product is identified by the CPE cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*. Sites using 7.6.47 or later are not affected.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity. The EPSS score is less than 1 %, suggesting low likelihood of exploitation in the near term. The vulnerability is not listed in CISA's KEV catalog. Attackers can exploit this flaw via unauthenticated HTTP POST requests to the wpdiscuz subscription endpoint, which does not require authentication or CAPTCHAs. Because the flaw allows mass subscription requests, it can be abused for large‑scale notification spam but does not directly compromise data confidentiality or integrity.

Generated by OpenCVE AI on March 17, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wpDiscuz to version 7.6.47 or later where the rate‑limiting issue is fixed.
  • Verify the plugin version after the upgrade by checking the Plugins page in the WordPress dashboard.
  • If an upgrade is not immediately possible, implement temporary rate limiting on the wpdAddSubscription endpoint, for example via web application firewall rules that limit POST requests per IP.
  • Add CAPTCHA or user authentication to the subscription form to prevent automated requests.
  • Regularly review WordPress and plugin updates and review site logs for unusual subscription activity.

Generated by OpenCVE AI on March 17, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.
Title wpDiscuz before 7.6.47 - No Rate Limiting on Subscription Endpoints with LIKE Wildcard Bypass
First Time appeared Gvectors
Gvectors wpdiscuz
Weaknesses CWE-799
CPEs cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
Vendors & Products Gvectors
Gvectors wpdiscuz
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpdiscuz
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-13T14:14:03.341Z

Reserved: 2026-01-06T16:47:17.187Z

Link: CVE-2026-22216

cve-icon Vulnrichment

Updated: 2026-03-13T14:13:54.998Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:11.653

Modified: 2026-03-17T11:43:07.663

Link: CVE-2026-22216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:49Z

Weaknesses