CVE-2026-22203
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tickets, backups, or version control repositories.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| gVectors | wpDiscuz | 0 < 7.6.47 | affected |
| gVectors | wpDiscuz | 7.6.47 | unaffected |
Weaknesses
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://wordpress.org/plugins/wpdiscuz/#developers
- https://wordpress.org/plugins/wpdiscuz/
- https://www.vulncheck.com/advisories/wpdiscuz-before-options-export-leaks-oauth-secrets-in-plaintext
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.