anonhaven
Ad

CVE-2026-22193

CRITICAL CVSS 4.0: 9.2 EPSS 0.04%
Updated Mar 17, 2026
Gvectors
Parameter Value
CVSS 9.2 (CRITICAL)
Affected Versions before 7.6.47
Fixed In 7.6.47
Type CWE-89 (SQL Injection)
Vendor Gvectors
Public PoC No

wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-89 SQL Injection

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Gvectors Wpdiscuz
cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
 7.6.47

References 3

https://wordpress.org/plugins/wpdiscuz/
disclosure@vulncheck.com
https://wordpress.org/plugins/wpdiscuz/#developers
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/wpdiscuz-before-sql-injection-in-getallsub…
disclosure@vulncheck.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-22216

PHP

6.9

CVE-2026-22215

Gvectors

5.3

CVE-2026-22210

Gvectors

2.1

CVE-2026-22209

Gvectors

5.1

CVE-2026-22204

Gvectors

6.3