Description
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.
Published: 2026-05-20
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Decent Comments WordPress plugin prior to version 3.0.2 allows unauthenticated users to access comment author and post author email addresses through its REST API endpoint. This can be exploited to enumerate registered users' email addresses, exposing personal contact information and potentially enabling phishing or targeted attacks. The vulnerability is an information disclosure flaw.

Affected Systems

WordPress sites that have installed the Decent Comments plugin version earlier than 3.0.2. All sites using this plugin without a later update are susceptible.

Risk and Exploitability

The vulnerability is accessible via an unauthenticated REST API call, requiring no special credentials or compromise of the host. The lack of a CVSS score and EPSS data suggests no publicly known exploitation, and the plugin is not listed in the CISA KEV catalog. Nevertheless, the privacy impact of revealing email addresses can be significant, and attackers could use the gathered addresses for social engineering or spam campaigns. Site owners should treat this as a moderate to high risk to confidentiality.

Generated by OpenCVE AI on May 20, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Decent Comments plugin to version 3.0.2 or newer.
  • If an immediate upgrade is not feasible, restrict access to the REST API endpoint that exposes email addresses by adding role‑based access control or blocking the route for unauthenticated users.
  • Review and limit the data exposed by the plugin’s API, removing or obfuscating email addresses, or disable the REST API functionality for the plugin entirely if it is not required.

Generated by OpenCVE AI on May 20, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Decent Comments
Decent Comments decent Comments
Wordpress
Wordpress wordpress
Vendors & Products Decent Comments
Decent Comments decent Comments
Wordpress
Wordpress wordpress

Wed, 20 May 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Wed, 20 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.
Title Decent Comments < 3.0.2 - Unauthenticated Email Address Disclosure
References

Subscriptions

Decent Comments Decent Comments
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-20T17:34:58.686Z

Reserved: 2026-04-29T08:45:59.638Z

Link: CVE-2026-7385

cve-icon Vulnrichment

Updated: 2026-05-20T17:32:23.303Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T07:16:16.353

Modified: 2026-05-20T18:16:27.673

Link: CVE-2026-7385

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:37:54Z

Weaknesses