CVE-2026-7385
Deferred Deferred - Pending Action
Email Address Enumeration in Decent Comments WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: WPScan

Description
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-7385
EUVD
EUVD-2026-31067
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
decent_comments decent_comments to 3.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Decent Comments WordPress plugin version 3.0.2 and earlier has a security flaw where it does not restrict access to email addresses of comment authors and post authors through its REST API endpoint.

This means that unauthenticated attackers can send requests to the plugin's API and retrieve the email addresses of registered users without needing to log in or have any permissions.

Impact Analysis

This vulnerability can lead to the exposure of registered users' email addresses to unauthorized parties.

Attackers can use these email addresses for malicious purposes such as phishing attacks, spam campaigns, or targeted social engineering.

Detection Guidance

This vulnerability can be detected by sending a request to the Decent Comments plugin REST API endpoint to check if email addresses are exposed without authentication.

A suggested command to test this is using curl to fetch data from the endpoint:

  • curl https://TARGET/wp-json/decent-comments/v1/comments

If the response contains comment author or post author email addresses without requiring authentication, the vulnerability is present.

Compliance Impact

This vulnerability allows unauthenticated attackers to enumerate registered user email addresses via the Decent Comments WordPress plugin's REST API endpoint.

Exposure of personal data such as email addresses can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require protection of personally identifiable information (PII) and sensitive data.

Organizations using affected versions of the plugin may be at risk of violating these regulations due to unauthorized disclosure of user email addresses.

Mitigation Strategies

To mitigate this vulnerability, immediately update the Decent Comments WordPress plugin to version 3.0.2 or later, where the issue is fixed.

If updating is not immediately possible, consider restricting access to the REST API endpoint "https://TARGET/wp-json/decent-comments/v1/comments" to authenticated users only or blocking access to this endpoint via firewall or security plugins to prevent unauthenticated enumeration of email addresses.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7385. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart