CVE-2025-13820

The Comments – wpDiscuz plugin for WordPress, versions prior to 7.6.40, contains an authentication bypass vulnerability in its integration with the disqus.com provider. The plugin does not properly validate a user's identity when authenticating through the disqus.com login flow, specifically when the target user does not yet have an account on disqus.com [1]. This flaw allows an attacker to impersonate any user whose email address is known.

Exploitation

An unauthenticated attacker can exploit this vulnerability by initiating the disqus.com login process for a target user. Since the plugin fails to verify that the user actually possesses a disqus.com account, the attacker can complete the login as that user. The only prerequisite is knowledge of the victim's email address [1]. No authentication or special network access is required.

Impact

Successful exploitation results in a complete account takeover of the targeted WordPress user. The attacker gains the same privileges as that user, including access to any content, settings, or capabilities associated with the account. This could lead to privilege escalation if the compromised user has administrative or editor roles.

Mitigation

The vulnerability has been fixed in version 7.6.40 of the Comments – wpDiscuz plugin [1]. Users are strongly advised to update to this version or later. No workarounds have been published.