CVE-2025-13820
BaseFortify
Publication date: 2026-01-01
Last updated on: 2026-01-05
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpdiscuz | wpdiscuz | to 7.6.40 (exc) |
| comments | comments | to 7.6.40 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability affects the wpDiscuz WordPress plugin versions before 7.6.40. It occurs because the plugin does not properly validate a user's identity when using the Disqus.com login provider. An attacker who knows a user's email address can create a Disqus account with that email if the user does not already have one, and then log in to the WordPress site as that user without needing their credentials. This allows the attacker to take over the victim's account on the WordPress site. [1]
How can this vulnerability impact me? :
This vulnerability can lead to privilege escalation where an attacker can impersonate any user on the WordPress site if they know the user's email address and the user does not have a Disqus account. This means the attacker can gain unauthorized access to user accounts, potentially including administrator accounts, leading to unauthorized actions, data theft, or site compromise. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if your WordPress site uses the wpDiscuz plugin version prior to 7.6.40 with the Disqus login provider enabled and configured. You can check the installed plugin version via WordPress admin or by running: `wp plugin list | grep wpdiscuz`. Also, verify if user registration is enabled in WordPress settings. There are no specific network commands provided to detect exploitation attempts, but monitoring for suspicious Disqus login activity or unexpected user logins via Disqus could help. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediately update the wpDiscuz plugin to version 7.6.40 or later, where this vulnerability is fixed. Additionally, consider disabling the Disqus login provider in wpDiscuz settings until the update is applied. Review and possibly restrict user registration settings in WordPress to reduce risk. [1]