Volerion logoVolerion
Volerion logoVolerion

WordPress Comments Plugin Unauthenticated Account Takeover Vulnerability

Vulnerability

A vulnerability exists in the WordPress Comments plugin, specifically in versions prior to 7.6.40. The issue arises because the plugin fails to properly validate user identities when using the Disqus provider. This flaw allows an attacker to log in as any user, provided they know the user's email address, and the user does not already have a Disqus account.

Impact

Exploitation of this vulnerability allows for unauthorized login to user accounts, potentially leading to privilege escalation, as users may have roles with elevated permissions.

Reproduction

To reproduce this vulnerability, first ensure that the Disqus login provider is enabled and configured with valid Disqus API keys. Then, create a Disqus account using the email address of a target user who does not already have a Disqus account. After that, access a post or page with the wpDiscuz Comments widget embedded, and log in using the Disqus provider. The login will be authenticated, granting access to the target user's account.

Remediation

Users are advised to update the WordPress Comments plugin to version 7.6.40 or later.

Added: Jan 1, 2026, 6:17 AM
Updated: Jan 1, 2026, 6:17 AM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
5.0
exploitability
9.7
remediation
7.7
relevance
1.8
threat
6.4
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.