CVE-2026-22203 is a vulnerability in the gVectors wpDiscuz WordPress plugin, affecting all versions prior to 7.6.47. The flaw arises when administrators export plugin configuration options as JSON files, which inadvertently include sensitive OAuth credentials in plaintext form. These credentials include fbAppSecret, googleClientSecret, twitterAppSecret, and other social login API secrets. The vulnerability is rooted in the plugin's export functionality that does not sanitize or exclude sensitive fields before exporting. Attackers who gain access to these exported files—commonly found in support tickets, backups, or version control repositories—can harvest these secrets without needing to exploit the plugin directly or interact with the system. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H means high privileges required, so admin access is needed), no user interaction (UI:N), and high impact on confidentiality (VC:H). The vulnerability does not affect integrity or availability. While no active exploits have been reported, the risk lies in the potential misuse of exposed OAuth secrets to impersonate users, hijack social login flows, or access third-party services integrated via these credentials. The issue highlights the importance of secure handling of sensitive configuration data and the risks of exporting such data without proper filtering or encryption.

The primary impact of this vulnerability is the exposure of sensitive OAuth credentials that can compromise the confidentiality of social login integrations. Attackers obtaining these secrets can impersonate legitimate users, gain unauthorized access to connected social media or cloud services, and potentially escalate attacks within the affected organization. This can lead to account takeover, data leakage, and reputational damage. Since the vulnerability requires administrator privileges to export the data, the risk is somewhat mitigated by the need for high-level access; however, if backups or exported files are improperly stored or shared, attackers with access to these files can exploit the vulnerability without further system compromise. Organizations relying on social login features integrated via wpDiscuz are at risk of broader compromise of their authentication infrastructure. The vulnerability does not directly affect system availability or integrity but poses a significant confidentiality risk that can cascade into more severe attacks if OAuth secrets are abused.

1. Immediately update wpDiscuz to version 7.6.47 or later, where this vulnerability has been addressed. 2. Audit and securely delete any exported JSON configuration files that may contain sensitive OAuth secrets, especially those stored in backups, support tickets, or version control repositories. 3. Rotate all exposed OAuth credentials (fbAppSecret, googleClientSecret, twitterAppSecret, etc.) to invalidate any leaked secrets and prevent unauthorized access. 4. Implement strict access controls and encryption for backups and exported configuration files to prevent unauthorized retrieval. 5. Educate administrators about the risks of exporting sensitive configuration data and establish policies to avoid exporting or sharing such data in plaintext. 6. Monitor logs and social login activity for suspicious behavior that may indicate misuse of compromised OAuth credentials. 7. Consider implementing environment-specific secrets management solutions to avoid storing sensitive credentials directly in plugin configurations. 8. Review and harden WordPress file permissions and access to prevent unauthorized access to configuration files.