CVE-2026-22193

HighPublic PoC

Published: 13 March 2026

Published

13 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22193 is a high-severity SQL Injection (CWE-89) vulnerability in Gvectors Wpdiscuz. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by validating unescaped string parameters like email, activation_key, subscription_date, and imported_from in the getAllSubscriptions() function before incorporating them into SQL queries.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability through flaw remediation by updating wpDiscuz to version 7.6.47 or later, which fixes the lack of quote escaping in SQL queries.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables detection of the SQL injection vulnerability in wpDiscuz plugins via regular vulnerability scanning of WordPress components.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote SQL injection in public-facing WordPress plugin enables exploitation of the application over the network (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and…

extract sensitive information.

Deeper analysisAI

CVE-2026-22193, published on 2026-03-13, is an SQL injection vulnerability (CWE-89) in the wpDiscuz WordPress plugin for versions prior to 7.6.47. The flaw exists in the getAllSubscriptions() function, where string parameters including email, activation_key, subscription_date, and imported_from lack proper quote escaping in SQL queries. This allows attackers to inject malicious SQL code, enabling manipulation of database queries and extraction of sensitive information.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with high attack complexity, no required privileges or user interaction, and unchanged scope. Remote attackers can exploit it to manipulate database operations, achieving high impacts on confidentiality through data extraction, as well as integrity and availability via query alterations such as data modification or denial of service.

Advisories recommend updating to wpDiscuz 7.6.47 or later to mitigate the issue. Additional details are available in the VulnCheck advisory at https://www.vulncheck.com/advisories/wpdiscuz-before-sql-injection-in-getallsubscriptions and on the plugin's WordPress.org pages at https://wordpress.org/plugins/wpdiscuz/ and https://wordpress.org/plugins/wpdiscuz/#developers.