Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types (Remove comments): from n/a through <= 1.3.0.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated user to exploit the password recovery functionality of the Disable Comments for Any Post Types plugin to trigger password reset emails for any account. Because the plugin’s authentication checks can be bypassed, attackers may obtain reset tokens or otherwise compromise account credentials, presenting a substantial risk of unauthorized access. The flaw falls under CWE‑288, reflecting improper authentication controls.

Affected Systems

Any WordPress site that has installed the Themeisle Disable Comments for Any Post Types (Remove comments) plugin, version 1.3.0 or earlier, regardless of host platform.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity with moderate attack complexity. EPSS data is not available and the vulnerability is not listed in KEV. The remote attack vector is inferred to involve HTTP requests to the password‑recovery endpoint, requiring no credentials to exploit. If the plugin is left at a vulnerable version, attackers can trigger password‑reset emails for arbitrary users and potentially compromise their accounts.

Generated by OpenCVE AI on May 27, 2026 at 12:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Disable Comments for Any Post Types (Remove comments) to the latest version (greater than 1.3.0).
  • If an upgrade is not possible, disable or remove the password recovery functionality provided by the plugin, or restrict the reset endpoint to trusted IP addresses.
  • Implement role‑based access controls and monitor password reset logs for suspicious activity.

Generated by OpenCVE AI on May 27, 2026 at 12:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types (Remove comments): from n/a through <= 1.3.0.
Title WordPress Disable Comments for Any Post Types (Remove comments) plugin <= 1.3.0 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:50:05.078Z

Reserved: 2026-04-29T09:05:35.592Z

Link: CVE-2026-42749

cve-icon Vulnrichment

Updated: 2026-05-27T10:49:59.944Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T11:16:21.413

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-42749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:15:05Z

Weaknesses