Cyber Resilience

CVE-2026-22193

CriticalPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22193 is a critical-severity SQL Injection (CWE-89) vulnerability in Gvectors Wpdiscuz. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22193, published on 2026-03-13, is an SQL injection vulnerability (CWE-89) in the wpDiscuz WordPress plugin for versions prior to 7.6.47. The flaw exists in the getAllSubscriptions() function, where string parameters including email, activation_key, subscription_date, and imported_from lack proper quote escaping in SQL queries. This allows attackers to inject malicious SQL code, enabling manipulation of database queries and extraction of sensitive information.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with high attack complexity, no required privileges or user interaction, and unchanged scope. Remote attackers can exploit it to manipulate database operations, achieving high impacts on confidentiality through data extraction, as well as integrity and availability via query alterations such as data modification or denial of service.

Advisories recommend updating to wpDiscuz 7.6.47 or later to mitigate the issue. Additional details are available in the VulnCheck advisory at https://www.vulncheck.com/advisories/wpdiscuz-before-sql-injection-in-getallsubscriptions and on the plugin's WordPress.org pages at https://wordpress.org/plugins/wpdiscuz/ and https://wordpress.org/plugins/wpdiscuz/#developers.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and…

more

extract sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote SQL injection in public-facing WordPress plugin enables exploitation of the application over the network (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-46309Same product: Gvectors Wpdiscuz
CVE-2023-45760Same product: Gvectors Wpdiscuz
CVE-2026-22192Same product: Gvectors Wpdiscuz
CVE-2026-22202Same product: Gvectors Wpdiscuz
CVE-2026-22199Same product: Gvectors Wpdiscuz
CVE-2026-22182Same product: Gvectors Wpdiscuz
CVE-2026-28562Same vendor: Gvectors
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89

Affected Assets

gvectors
wpdiscuz
≤ 7.6.47

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating unescaped string parameters like email, activation_key, subscription_date, and imported_from in the getAllSubscriptions() function before incorporating them into SQL queries.

prevent

Mitigates the vulnerability through flaw remediation by updating wpDiscuz to version 7.6.47 or later, which fixes the lack of quote escaping in SQL queries.

detect

Enables detection of the SQL injection vulnerability in wpDiscuz plugins via regular vulnerability scanning of WordPress components.

References