CVE-2026-22193 PUBLISHED

wpDiscuz before 7.6.47 - SQL Injection in getAllSubscriptions()

Assigner: VulnCheck
Reserved: 06.01.2026 Published: 13.03.2026 Updated: 13.03.2026

wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.2

Product Status

Vendor gVectors
Product wpDiscuz
Versions Default: unaffected
  • affected from 0 to 7.6.47 (excl.)
  • Version 7.6.47 is unaffected

Credits

  • Scott Moore - VulnCheck finder

References

Problem Types

  • Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE