CVE-2026-22216 is a vulnerability identified in the gVectors wpDiscuz WordPress plugin prior to version 7.6.47. The flaw arises from improper control of interaction frequency, specifically a missing rate limiting mechanism on the wpdAddSubscription AJAX handler implemented in class.WpdiscuzHelperAjax.php. This handler processes POST requests to subscribe email addresses to post notifications. Because there is no authentication or rate limiting, unauthenticated attackers can automate subscription requests to arbitrary email addresses. Furthermore, the vulnerability allows the use of LIKE wildcard characters in the subscription query, enabling attackers to match and subscribe multiple email addresses en masse. This results in victims receiving unsolicited notification emails, effectively turning the plugin into a vector for spam campaigns or email flooding attacks. The vulnerability impacts confidentiality by exposing victim email addresses to unsolicited communications and availability by potentially overwhelming mail servers or user inboxes. The CVSS 4.0 vector indicates no privileges or user interaction are required, with low attack complexity, and partial impact on confidentiality and availability. No known exploits have been reported yet, but the ease of exploitation and public accessibility of the vulnerable endpoint make this a significant risk for sites running affected versions of wpDiscuz.

The primary impact of CVE-2026-22216 is the ability for attackers to abuse the wpDiscuz subscription feature to send unsolicited notification emails to arbitrary or multiple victim email addresses. This can lead to spam flooding, which may degrade the availability of email services for victims and increase the risk of email blacklisting for the affected domains. Organizations may face reputational damage if their infrastructure is used to send spam or if user trust is eroded due to unsolicited emails. Additionally, the volume of generated emails could impose additional load on mail servers, potentially causing denial of service conditions. While the vulnerability does not directly lead to data breach or system compromise, the indirect effects on service availability and user trust are notable. Since exploitation requires no authentication or user interaction, the attack surface is broad, affecting any publicly accessible WordPress site running vulnerable versions of wpDiscuz. This could impact a wide range of organizations, especially those relying on wpDiscuz for community engagement and notifications.

To mitigate CVE-2026-22216, organizations should immediately upgrade wpDiscuz to version 7.6.47 or later where the vulnerability is patched. If upgrading is not immediately possible, implement strict rate limiting on the wpdAddSubscription AJAX endpoint to restrict the frequency of subscription requests from the same IP address or client. Additionally, enhance input validation to disallow wildcard characters or other query modifiers in email subscription requests to prevent mass subscription abuse. Employ CAPTCHA or other bot detection mechanisms on subscription forms to reduce automated abuse. Monitor outgoing email traffic for unusual spikes in notification emails that may indicate exploitation attempts. Finally, consider implementing email verification or double opt-in mechanisms for subscriptions to ensure only legitimate email addresses are subscribed, reducing the risk of abuse.