Primary

Context

Decent Comments WordPress Plugin Unauthenticated Email Address Disclosure Vulnerability

Vulnerability

Patched

A vulnerability exists in the Decent Comments WordPress plugin in versions prior to 3.0.2, where the plugin's REST API endpoint does not properly restrict access to comment author and post author email addresses. This flaw allows unauthenticated attackers to enumerate the email addresses of registered users.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of registered user email addresses.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site's REST API endpoint for the Decent Comments plugin, specifically targeting the comments version 1.0.0. The response will include comment author names, their email addresses, and the email addresses of the post authors.

Remediation

Users are advised to update the Decent Comments WordPress plugin to version 3.0.2 or later.

Added: May 20, 2026, 7:17 AM

Updated: May 20, 2026, 7:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

8.9

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

8.9

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Decent Comments WordPress Plugin Unauthenticated Email Address Disclosure Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Decent Comments

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating