CRITICALCVE-2026-22193Published 2026-03-13Modified 2026-03-13CNA VulnCheck

CVE-2026-22193: wpDiscuz before 7.6.47 - SQL Injection in getAllSubscriptions()

wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: 7.6.47
Affected Products: 1

Fix available

7.6.47

Patch commits

wpDiscuz Changelog

Affected packages

gVectors / wpDiscuz
< 7.6.47 (from 0)
Fixed in 7.6.47

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

wpDiscuz Changelog
wpDiscuz
VulnCheck Advisory: wpDiscuz before 7.6.47 - SQL Injection in getAllSubscriptions()

Metrics

Fix available