CVE-2026-22182 is a vulnerability in the gVectors wpDiscuz WordPress plugin, specifically affecting versions prior to 7.6.47. The vulnerability arises from a missing authorization check in the checkNotificationType() function, which handles notification emails triggered via the wpdiscuz-ajax.php endpoint. Attackers can send repeated HTTP requests with arbitrary postId and comment_id parameters without any authentication or nonce verification, causing the system to send mass notification emails to subscribers. The absence of rate limiting exacerbates the issue, enabling attackers to flood users with notifications, effectively causing a denial of service through email spam. The vulnerability is remotely exploitable without any privileges or user interaction, making it highly accessible to attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) reflects a network attack vector with low complexity, no authentication, no user interaction, no confidentiality or integrity impact, but a high impact on availability due to the email flooding. While no known exploits have been reported in the wild, the ease of exploitation and potential disruption to user experience and email infrastructure make this a critical issue for sites using the affected plugin versions. The vulnerability highlights the importance of implementing nonce verification, authentication checks, and rate limiting in AJAX handlers that trigger user notifications.

The primary impact of CVE-2026-22182 is on the availability and user experience of websites using the vulnerable wpDiscuz plugin. Attackers can exploit this flaw to send mass notification emails to subscribers, potentially overwhelming email servers, causing service disruptions, and degrading the reputation of the affected domains due to spam-like behavior. This can lead to increased operational costs, blacklisting of email domains, and loss of user trust. Organizations relying on wpDiscuz for community engagement may face significant disruption in communication channels. Additionally, the flood of emails could be leveraged as a vector for social engineering or phishing if attackers combine this with malicious content. The vulnerability does not directly compromise confidentiality or integrity but can indirectly affect organizational operations and user confidence. Given the widespread use of WordPress and the popularity of wpDiscuz, the scope of affected systems is broad, impacting websites globally that have not updated to patched versions.

To mitigate CVE-2026-22182, organizations should immediately update the wpDiscuz plugin to version 7.6.47 or later, where the vulnerability is patched. If immediate patching is not feasible, administrators should implement temporary controls such as: 1) Restricting access to the wpdiscuz-ajax.php endpoint via web application firewall (WAF) rules or IP rate limiting to prevent abuse. 2) Enabling or enforcing CAPTCHA challenges on comment and notification-related AJAX requests to deter automated exploitation. 3) Monitoring outgoing email traffic for unusual spikes in notification emails and alerting on anomalies. 4) Reviewing and tightening WordPress user permissions and plugin configurations to minimize exposure. 5) Employing email rate limiting and spam filtering at the mail server level to reduce impact on recipients. Additionally, plugin developers and site administrators should audit other AJAX endpoints for similar missing authorization or nonce verification issues to prevent future vulnerabilities.