CVE-2026-22193 CRITICAL

CVE-2026-22193: wpDiscuz before 7.6.47 - SQL Injection in getAllSubscriptions()

Vendor Gvectors
Product wpDiscuz
Weakness CWE-89 · SQLi
Published March 13, 2026
Last update March 13, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information.

Key dates

02Disclosure timeline

March 13, 2026 CVE published
March 13, 2026 Record updated