CVE-2026-22203 | THREATINT

Description

wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tickets, backups, or version control repositories.

PUBLISHED Reserved 2026-01-06 | Published 2026-03-13 | Updated 2026-03-13 | Assigner VulnCheck

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 4.9CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Problem types

Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status

unaffected

Any version before 7.6.47

affected

7.6.47

unaffected

Credits

Scott Moore - VulnCheck finder

References

wordpress.org/plugins/wpdiscuz/ (wpDiscuz Changelog) patch

wordpress.org/plugins/wpdiscuz/ (wpDiscuz) product

www.vulncheck.com/...export-leaks-oauth-secrets-in-plaintext (VulnCheck Advisory: wpDiscuz before 7.6.47 - Options Export Leaks OAuth Secrets in Plaintext) third-party-advisory

cve.org (CVE-2026-22203)

nvd.nist.gov (CVE-2026-22203)

Download JSON