CVE-2025-13820
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-01

Last updated on: 2026-01-05

Assigner: WPScan

Description
The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-01
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13820
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wpdiscuz wpdiscuz to 7.6.40 (exc)
comments comments to 7.6.40 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects the wpDiscuz WordPress plugin versions before 7.6.40. It occurs because the plugin does not properly validate a user's identity when using the Disqus.com login provider. An attacker who knows a user's email address can create a Disqus account with that email if the user does not already have one, and then log in to the WordPress site as that user without needing their credentials. This allows the attacker to take over the victim's account on the WordPress site. [1]

Impact Analysis

This vulnerability can lead to privilege escalation where an attacker can impersonate any user on the WordPress site if they know the user's email address and the user does not have a Disqus account. This means the attacker can gain unauthorized access to user accounts, potentially including administrator accounts, leading to unauthorized actions, data theft, or site compromise. [1]

Detection Guidance

Detection involves verifying if your WordPress site uses the wpDiscuz plugin version prior to 7.6.40 with the Disqus login provider enabled and configured. You can check the installed plugin version via WordPress admin or by running: `wp plugin list | grep wpdiscuz`. Also, verify if user registration is enabled in WordPress settings. There are no specific network commands provided to detect exploitation attempts, but monitoring for suspicious Disqus login activity or unexpected user logins via Disqus could help. [1]

Mitigation Strategies

Immediately update the wpDiscuz plugin to version 7.6.40 or later, where this vulnerability is fixed. Additionally, consider disabling the Disqus login provider in wpDiscuz settings until the update is applied. Review and possibly restrict user registration settings in WordPress to reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13820. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart