CVE-2026-7385
Email Address Enumeration in Decent Comments WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| decent_comments | decent_comments | to 3.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Decent Comments WordPress plugin version 3.0.2 and earlier has a security flaw where it does not restrict access to email addresses of comment authors and post authors through its REST API endpoint.
This means that unauthenticated attackers can send requests to the plugin's API and retrieve the email addresses of registered users without needing to log in or have any permissions.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of registered users' email addresses to unauthorized parties.
Attackers can use these email addresses for malicious purposes such as phishing attacks, spam campaigns, or targeted social engineering.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a request to the Decent Comments plugin REST API endpoint to check if email addresses are exposed without authentication.
A suggested command to test this is using curl to fetch data from the endpoint:
- curl https://TARGET/wp-json/decent-comments/v1/comments
If the response contains comment author or post author email addresses without requiring authentication, the vulnerability is present.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to enumerate registered user email addresses via the Decent Comments WordPress plugin's REST API endpoint.
Exposure of personal data such as email addresses can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require protection of personally identifiable information (PII) and sensitive data.
Organizations using affected versions of the plugin may be at risk of violating these regulations due to unauthorized disclosure of user email addresses.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Decent Comments WordPress plugin to version 3.0.2 or later, where the issue is fixed.
If updating is not immediately possible, consider restricting access to the REST API endpoint "https://TARGET/wp-json/decent-comments/v1/comments" to authenticated users only or blocking access to this endpoint via firewall or security plugins to prevent unauthenticated enumeration of email addresses.