This vulnerability is an SQL injection flaw located in the getAllSubscriptions() function of the wpDiscuz WordPress plugin prior to version 7.6.47. Because user-supplied parameters—email, activation_key, subscription_date, and imported_from—are incorporated into SQL queries without proper escaping, an attacker can inject malicious SQL code. The injection can lead to unauthorized data extraction and potentially the modification or deletion of database records, jeopardizing confidentiality and integrity of stored information.

The affected product is the wpDiscuz plugin developed by gVectors, available on WordPress. All installations running wpDiscuz versions earlier than 7.6.47 are vulnerable. The vulnerability is present in all instances where the getAllSubscriptions() function is accessible via the plugin's public API or interface.

The CVSS score is 9.2, indicating a high severity. EPSS score is below 1%, suggesting low current exploitation probability. It is not listed in the CISA KEV catalog. The attack likely requires remote access to the plugin’s parameters, which are exposed through its public endpoints. Attackers can exploit the flaw by sending crafted requests containing malicious SQL in the affected parameters, leading to data compromise. The vulnerability’s impact is local to the database accessed by the WordPress installation, but if the database is used across multiple applications, the risk extends beyond the web environment.