CVE-2026-7385

Vulnerability

The Decent Comments WordPress plugin versions prior to 3.0.2 fail to restrict access to comment author email addresses and post author email addresses through its REST API endpoint. This allows any unauthenticated visitor to the site to query the API and retrieve email addresses associated with comments and posts. The affected versions are all releases before 3.0.2 [1].

Exploitation

An unauthenticated attacker needs only network access to the WordPress site's REST API. No authentication or special privileges are required. The attacker can send crafted API requests to the exposed endpoint that returns email addresses of comment authors and post authors. The public disclosure includes a proof of concept, confirming the ease of exploitation [1].

Impact

Successful exploitation enables an attacker to enumerate registered user email addresses on the WordPress site. This information disclosure could be leveraged for targeted phishing campaigns, social engineering, or further reconnaissance against the site's users. The attack does not require any user interaction or additional privileges [1].

Mitigation

The vulnerability is fixed in version 3.0.2 of the Decent Comments plugin. Site administrators should update to version 3.0.2 or later immediately. No workarounds have been provided by the vendor. The plugin has been disclosed publicly by the researcher Vaibhav Narkhede [1].