CVE-2026-22182 is a denial of service vulnerability found in the gVectors wpDiscuz WordPress plugin before version 7.6.47. The vulnerability arises from missing authorization controls in the checkNotificationType() function, which is responsible for handling notification emails triggered by user interactions on posts and comments. Specifically, the wpdiscuz-ajax.php endpoint processes requests containing postId and comment_id parameters without verifying the authenticity of the requester via nonce tokens or authentication checks. Additionally, the function lacks rate limiting, allowing an attacker to send repeated requests that cause the system to send mass notification emails to subscribers. This can flood users’ inboxes, degrade email service quality, and potentially lead to email service provider blacklisting or resource exhaustion on the hosting server. The vulnerability is remotely exploitable without any privileges or user interaction, increasing its risk profile. The CVSS 4.0 base score is 8.7, reflecting high severity due to network attack vector, no required privileges or user interaction, and high impact on availability. No patches or exploits are currently reported, but the vulnerability’s characteristics suggest it could be weaponized for spam campaigns or denial of service attacks against websites using wpDiscuz.

The primary impact of CVE-2026-22182 is denial of service through mass unsolicited notification emails sent to subscribers of affected WordPress sites. This can overwhelm users with spam, degrade user experience, and cause reputational damage to website operators. Email service providers may throttle or block emails from the affected domains, disrupting legitimate communications. Hosting servers may experience increased load and resource exhaustion due to processing repeated notification requests, potentially leading to website downtime. Organizations relying on wpDiscuz for community engagement risk losing subscriber trust and may face operational disruptions. The vulnerability’s unauthenticated nature means attackers can exploit it at scale without needing credentials, increasing the likelihood of widespread abuse. Although no direct data confidentiality or integrity compromise is indicated, the availability impact and potential collateral damage to email infrastructure are significant concerns.

To mitigate CVE-2026-22182, organizations should immediately update wpDiscuz to version 7.6.47 or later where the vulnerability is patched. If immediate patching is not possible, implement web application firewall (WAF) rules to detect and block excessive or anomalous requests to wpdiscuz-ajax.php, particularly those with suspicious postId and comment_id parameters. Rate limiting should be enforced at the application or server level to restrict the number of notification-triggering requests per IP address within a given timeframe. Additionally, monitor outgoing email traffic for unusual spikes in notification emails and configure email sending limits or throttling on mail servers. Review and harden WordPress security configurations, including disabling unnecessary AJAX endpoints if feasible. Finally, educate site administrators about the risk and encourage prompt application of security updates to reduce exposure.