Skip to main content

Wpdiscuz CVE-2026-22203

| EUVDEUVD-2026-11748 MEDIUM
Information Exposure (CWE-200)
2026-03-13 VulnCheck
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 17, 2026 - 20:23 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 07:58 euvd
EUVD-2026-11748
Analysis Generated
Mar 13, 2026 - 07:58 vuln.today
CVE Published
Mar 13, 2026 - 01:18 nvd
MEDIUM 4.9

DescriptionCVE.org

wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tickets, backups, or version control repositories.

AnalysisAI

wpDiscuz before version 7.6.47 contains an information disclosure vulnerability where the plugin's JSON export functionality inadvertently exposes OAuth secrets and social login credentials in plaintext. Administrators performing routine plugin option exports or backups unknowingly create files containing sensitive API secrets (Facebook App Secret, Google Client Secret, Twitter App Secret, and others) that can be discovered by attackers in support tickets, backup repositories, or version control systems. An attacker with network access can obtain these exported files to compromise social login integrations and gain unauthorized access to connected third-party services.

Technical ContextAI

wpDiscuz is a WordPress discussion and commenting plugin that integrates with multiple OAuth providers for social login functionality. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where the plugin's export functionality serializes all configuration options—including OAuth credentials—directly into JSON format without encryption or redaction. The affected technology involves WordPress plugin architecture (CPE: cpe:2.3:a:wpdiscuz:wpdiscuz) combined with OAuth 2.0 client secrets that should never be exported or transmitted in plaintext. The root cause is inadequate data classification during serialization; the plugin treats all configuration data as non-sensitive when generating export files, failing to implement field-level access controls or cryptographic protection for secrets during the export process.

RemediationAI

Immediately upgrade wpDiscuz to version 7.6.47 or later, which includes fixes to prevent plaintext credential export. Before patching, conduct a security audit of all backup systems, version control repositories, support ticket systems, and any exported plugin configuration files to identify and revoke any exposed OAuth credentials (Facebook App Secrets, Google Client Secrets, Twitter App Secrets). Regenerate and rotate all social login API credentials within their respective provider dashboards (Facebook Developers, Google Cloud Console, Twitter Developer Portal). Implement preventive controls: use WordPress security plugins to restrict admin access and monitor export activities, enforce encrypted backups with access restrictions, prevent WordPress configuration files from being committed to version control, and use environment variables or dedicated secret management solutions (such as WordPress security vaults or key management services) for storing OAuth credentials instead of plugin options. Establish a post-incident review process to prevent similar credential exposure in the future.

CVE-2020-24186 CRITICAL POC
10.0 Aug 24

A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allo

CVE-2020-13640 CRITICAL POC
9.8 Jun 18

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute

CVE-2024-9488 CRITICAL
9.8 Oct 25

The Comments - wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including

CVE-2026-22192 HIGH
8.8 Mar 13

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site script

CVE-2023-47775 HIGH
8.8 Nov 22

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments - wpDiscuz plugin <= 7.6.11 versions. Rated hi

CVE-2022-43492 HIGH
8.8 Nov 18

Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch

CVE-2021-24737 MEDIUM POC
4.8 Oct 11

The Comments - wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow mess

CVE-2026-22199 HIGH
8.7 Mar 13

wpDiscuz before version 7.6.47 contains a vote manipulation vulnerability that allows unauthenticated attackers to artif

CVE-2021-24806 MEDIUM POC
4.3 Nov 08

The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could a

CVE-2026-22193 HIGH
8.1 Mar 13

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an SQL injection vulnerabili

CVE-2026-22202 HIGH
8.1 Mar 13

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site request forgery

CVE-2026-22182 HIGH
7.5 Mar 13

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an unauthenticated denial of

Share

CVE-2026-22203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy