The WP Discourse plugin has a flaw that causes it to transmit Discourse API credentials unconditionally to any host listed in a post’s discourse_permalink custom field when synchronizing comments. Authenticated users with author‑level access can exploit this to send the secret Api‑Key and Api‑Username headers to attacker‑controlled servers. By exposing these credentials, an attacker gains the ability to authenticate with the Discourse forum, read or modify content, and possibly query internal services, representing a clear confidentiality and integrity violation.

The affected system is any WordPress instance that runs the WP Discourse plugin version 2.5.9 or earlier supplied by the scossar vendor. This encompasses all installations of the plugin, regardless of the underlying WordPress version, with no other plugins implicated by the current CNA data.

The CVSS score of 4.3 marks this as a medium‑level information‑disclosure weakness that requires authenticated access. The EPSS score of less than 1% indicates that exploitation is unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the flaw allows an attacker to exfiltrate API credentials to arbitrary hosts and use those credentials for further internal attacks, which could provide full control over the associated Discourse forum and compromise user privacy. The attack can be carried out by a user with author‑level privileges who modifies a post’s discourse_permalink field and triggers comment synchronization, after which the credentials are sent to the specified host.