CVE-2026-22203

low-risk

Published 2026-03-13

wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tickets, backups, or version control repositories.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.9/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Wpdiscuz

Affected Vendors

Gvectors

References (3)

Product https://wordpress.org/plugins/wpdiscuz/

Product https://wordpress.org/plugins/wpdiscuz/#developers

Third Party Advisory https://www.vulncheck.com/advisories/wpdiscuz-before-options-export-leaks-oauth-...

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal