CVE-2026-7385
MEDIUMDecent Comments < 3.0.2 - Unauthenticated Email Address Disclosure
Title source: cnaDescription
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.
References (1)
Core 1
Core References
Exploit exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/1c5949d0-cf50-45d3-a7e2-2f94cdb42405/
Scores
CVSS v3
5.8
EPSS
0.0027
EPSS Percentile
18.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
Status
published
Products (1)
None/Decent Comments
< 3.0.2
Published
May 20, 2026
Tracked Since
May 20, 2026