Description
wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tickets, backups, or version control repositories.
Published: 2026-03-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

wpDiscuz before version 7.6.47 contains an information‑disclosure flaw that lets an administrator export plugin options as a JSON file. The exported content includes OAuth secrets in plain text—such as fbAppSecret, googleClientSecret, and twitterAppSecret—used for social login integrations. Consequently, if an attacker obtains the exported file via support tickets, backups, or version‑control repositories, they gain direct access to these sensitive credentials, potentially compromising linked accounts and services.

Affected Systems

The vulnerability affects installations of the wpDiscuz WordPress plugin created by the vendor gVectors. All releases earlier than 7.6.47 are affected, as the flaw was fixed in that version. Because the exact affected sub‑versions are not listed in the vendor's release notes, administrators should verify that their current on‑site version is 7.6.47 or newer.

Risk and Exploitability

The issue has a CVSS v3 score of 6.9, indicating moderate severity, and an EPSS score of less than 1 %, implying low likelihood of current exploitation. It is not included in the CISA KEV catalog. Exploitation requires a privileged administrator who can perform the export or, alternatively, the presence of an exported file in backup or code‑repository artifacts that an attacker can read.

Generated by OpenCVE AI on March 17, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wpDiscuz to version 7.6.47 or higher
  • Verify that stored JSON exports are removed or access to them is tightly controlled
  • Review backup and version‑control repositories to ensure no exported JSON files are exposed

Generated by OpenCVE AI on March 17, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tickets, backups, or version control repositories.
Title wpDiscuz before 7.6.47 - Options Export Leaks OAuth Secrets in Plaintext
First Time appeared Gvectors
Gvectors wpdiscuz
Weaknesses CWE-200
CPEs cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
Vendors & Products Gvectors
Gvectors wpdiscuz
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gvectors Wpdiscuz
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-13T16:07:55.322Z

Reserved: 2026-01-06T16:47:17.185Z

Link: CVE-2026-22203

cve-icon Vulnrichment

Updated: 2026-03-13T16:07:48.616Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:10.580

Modified: 2026-03-17T20:23:48.140

Link: CVE-2026-22203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:53Z

Weaknesses