CVE-2026-22216 is a vulnerability in the wpDiscuz WordPress plugin developed by gVectors, specifically affecting versions prior to 7.6.47. The issue stems from an improper control of interaction frequency, or missing rate limiting, on the wpdAddSubscription handler within the class.WpdiscuzHelperAjax.php file. This handler processes POST requests to subscribe email addresses to post notifications. Due to the lack of rate limiting and input validation, unauthenticated attackers can send crafted POST requests to subscribe arbitrary email addresses without consent. Moreover, the vulnerability allows the use of SQL LIKE wildcard characters in the subscription query, enabling attackers to match multiple email addresses in the database and trigger mass notification emails to those addresses. This can be exploited to generate spam or denial-of-service conditions on email servers by flooding victim inboxes with unwanted notifications. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction needed, and impacts on confidentiality, integrity, and availability at a low to medium level. Although no known exploits are reported in the wild, the public disclosure increases the risk of exploitation. The vulnerability primarily affects websites running vulnerable versions of wpDiscuz, a popular commenting plugin for WordPress, widely used globally. The absence of patch links suggests that immediate mitigation steps or updates should be sought from the vendor. This vulnerability highlights the importance of implementing rate limiting and input validation on subscription endpoints to prevent abuse.

The primary impact of CVE-2026-22216 is the unauthorized subscription of arbitrary email addresses to post notifications, leading to unsolicited emails being sent to victims. This can result in significant user annoyance, potential reputational damage to affected websites, and increased load on email infrastructure, potentially causing denial-of-service conditions for email servers. Organizations may face increased support costs due to user complaints and may suffer from reduced trust if their notification systems are abused. While the vulnerability does not directly lead to data breaches or system compromise, the abuse of notification services can be leveraged as part of broader spam campaigns or social engineering attacks. The lack of authentication and user interaction requirements makes exploitation straightforward and scalable. The impact on confidentiality and integrity is limited but non-negligible due to the manipulation of subscription data and unsolicited information disclosure. Availability impacts arise from potential email service overload. Overall, the threat affects the reliability and trustworthiness of communication channels on affected websites.

To mitigate CVE-2026-22216, organizations should immediately update wpDiscuz to version 7.6.47 or later once available, as this version addresses the missing rate limiting vulnerability. In the absence of an official patch, administrators should implement custom rate limiting on the wpdAddSubscription endpoint at the web server or application firewall level to restrict the frequency of subscription requests from the same IP address. Input validation should be enhanced to disallow SQL wildcard characters in email subscription requests to prevent mass matching of email addresses. Monitoring and alerting on unusual spikes in subscription activity can help detect exploitation attempts early. Additionally, implementing CAPTCHA or other challenge-response tests on subscription forms can reduce automated abuse. Reviewing email notification policies to limit the volume and frequency of notifications sent to users can mitigate the impact of potential abuse. Finally, educating users to recognize and report unsolicited notifications can aid in early detection and response.