Description
The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Published: 2025-06-05
Score: 8.8 High
EPSS: 13.4% Moderate
KEV: No
Impact: Privilege Escalation via arbitrary option updates
Action: Immediate Patch
AI Analysis

Impact

The HyperComments plugin for WordPress contains a missing capability check on the hc_request_handler function, allowing unauthenticated users to modify any WordPress option. An attacker can use this to change the default role for new registrations to administrator, enable user registration, and thereby create an administrative account with full access to the site. This flaw leads directly to privileged control over the affected WordPress installation.

Affected Systems

All WordPress sites that have the HyperComments plugin version 1.2.2 or earlier installed are impacted. The vulnerability exists in the siteheart:HyperComments plugin as distributed to users through the WordPress plugin repository.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity weakness, and the EPSS score of 13% suggests a moderate likelihood of exploitation. The vulnerability was not listed in CISA KEV. Based on the description, it is inferred that the attacker can exploit the flaw remotely by sending crafted HTTP requests to the plugin’s request handler, without any authentication. Once successful, the attacker can perform privilege escalation and take full administrative control of the site.

Generated by OpenCVE AI on April 22, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update HyperComments to the latest version (≥1.2.3) as soon as possible.
  • Revoke or restrict the default role for new registrations and disable user registration if not required for the site’s operation.
  • Review existing user accounts and remove any newly created administrator accounts, and enable logging of option changes to detect future unauthorized activity.

Generated by OpenCVE AI on April 22, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16984 The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Jun 2025 11:30:00 +0000

Type Values Removed Values Added
Description The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Title HyperComments <= 1.2.2 - Unauthenticated (Subscriber+) Arbitrary Options Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Siteheart Hypercomments Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:07.107Z

Reserved: 2025-06-04T21:39:51.682Z

Link: CVE-2025-5701

cve-icon Vulnrichment

Updated: 2025-06-05T14:28:54.156Z

cve-icon NVD

Status : Deferred

Published: 2025-06-05T12:15:24.233

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses