CVE-2026-7385

MEDIUM

Decent Comments < 3.0.2 - Unauthenticated Email Address Disclosure

Title source: cna
STIX 2.1

Description

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.

References (1)

Core 1
Core References
Exploit exploit vdb-entry technical-description
https://wpscan.com/vulnerability/1c5949d0-cf50-45d3-a7e2-2f94cdb42405/

Scores

CVSS v3 5.8
EPSS 0.0027
EPSS Percentile 18.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

Status published
Products (1)
None/Decent Comments < 3.0.2
Published May 20, 2026
Tracked Since May 20, 2026