CVE-2026-22216
Received Received - Intake
Missing Rate Limiting in wpDiscuz Allows Email Subscription Abuse

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: VulnCheck

Description
wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22216
EUVD
EUVD-2026-11753
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gvectors wpdiscuz to 7.6.47 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-799 The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22216 is a vulnerability in wpDiscuz versions before 7.6.47 where there is no rate limiting on the subscription endpoints.

Unauthenticated attackers can send POST requests to the wpdAddSubscription handler in the class WpdiscuzHelperAjax.php to subscribe arbitrary email addresses to post notifications without any restriction.

Attackers can also use SQL LIKE wildcard characters in the subscription query to match multiple email addresses at once, causing unwanted notification emails to be sent to many victim accounts.

Impact Analysis

This vulnerability can be exploited to send unwanted notification emails to multiple victim accounts by subscribing arbitrary email addresses without authorization.

The attack requires no privileges or user interaction and can be performed remotely over the network.

While the impact on confidentiality is limited, it can cause a denial of service by overwhelming users with unwanted emails and potentially degrade availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or excessive POST requests to the wpdAddSubscription handler in the class WpdiscuzHelperAjax.php, which is responsible for subscription actions.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for POST requests targeting the subscription endpoint that include email addresses with SQL LIKE wildcard characters, as attackers exploit this to subscribe multiple arbitrary emails.'}, {'type': 'paragraph', 'content': 'Commands to detect such activity might include using network traffic analysis tools or web server logs to filter POST requests to the subscription endpoint. For example, using grep on web server logs:'}, {'type': 'list_item', 'content': "grep -i 'POST.*wpdAddSubscription' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'wpdAddSubscription' /var/log/nginx/access.log | grep -E '\\%|\\_'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for spikes in notification emails or unusual subscription activity can help identify exploitation attempts.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade wpDiscuz to version 7.6.47 or later, where this missing rate limiting vulnerability has been fixed.

Until the upgrade can be applied, implementing rate limiting on the subscription endpoint to restrict the number of POST requests from unauthenticated users can reduce the risk of exploitation.

Additionally, monitoring and blocking suspicious POST requests containing SQL LIKE wildcard characters in the subscription query can help mitigate abuse.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart