Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tickets, backups, or version control repositories.
AnalysisAI
wpDiscuz before version 7.6.47 contains an information disclosure vulnerability where the plugin's JSON export functionality inadvertently exposes OAuth secrets and social login credentials in plaintext. Administrators performing routine plugin option exports or backups unknowingly create files containing sensitive API secrets (Facebook App Secret, Google Client Secret, Twitter App Secret, and others) that can be discovered by attackers in support tickets, backup repositories, or version control systems. An attacker with network access can obtain these exported files to compromise social login integrations and gain unauthorized access to connected third-party services.
Technical ContextAI
wpDiscuz is a WordPress discussion and commenting plugin that integrates with multiple OAuth providers for social login functionality. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where the plugin's export functionality serializes all configuration options—including OAuth credentials—directly into JSON format without encryption or redaction. The affected technology involves WordPress plugin architecture (CPE: cpe:2.3:a:wpdiscuz:wpdiscuz) combined with OAuth 2.0 client secrets that should never be exported or transmitted in plaintext. The root cause is inadequate data classification during serialization; the plugin treats all configuration data as non-sensitive when generating export files, failing to implement field-level access controls or cryptographic protection for secrets during the export process.
RemediationAI
Immediately upgrade wpDiscuz to version 7.6.47 or later, which includes fixes to prevent plaintext credential export. Before patching, conduct a security audit of all backup systems, version control repositories, support ticket systems, and any exported plugin configuration files to identify and revoke any exposed OAuth credentials (Facebook App Secrets, Google Client Secrets, Twitter App Secrets). Regenerate and rotate all social login API credentials within their respective provider dashboards (Facebook Developers, Google Cloud Console, Twitter Developer Portal). Implement preventive controls: use WordPress security plugins to restrict admin access and monitor export activities, enforce encrypted backups with access restrictions, prevent WordPress configuration files from being committed to version control, and use environment variables or dedicated secret management solutions (such as WordPress security vaults or key management services) for storing OAuth credentials instead of plugin options. Establish a post-incident review process to prevent similar credential exposure in the future.
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allo
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute
The Comments - wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including
Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site script
Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments - wpDiscuz plugin <= 7.6.11 versions. Rated hi
Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch
The Comments - wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow mess
wpDiscuz before version 7.6.47 contains a vote manipulation vulnerability that allows unauthenticated attackers to artif
The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could a
High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an SQL injection vulnerabili
High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site request forgery
High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains an unauthenticated denial of
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11748