CVE-2026-7385 Overview
CVE-2026-7385 affects the Decent Comments WordPress plugin in versions before 3.0.2. The plugin exposes a REST API endpoint that returns comment author and post author email addresses without restricting access. Unauthenticated attackers can query the endpoint to enumerate registered user email addresses on affected sites.
The vulnerability falls under information disclosure with a changed scope, since data tied to authenticated WordPress accounts leaks through an unauthenticated channel. Exposed emails enable targeted phishing, credential stuffing, and account takeover attempts against administrators and contributors.
Critical Impact
Unauthenticated attackers can harvest WordPress user email addresses through the plugin's REST API endpoint, enabling downstream phishing and account compromise.
Affected Products
- Decent Comments WordPress plugin versions prior to 3.0.2
- WordPress installations exposing the plugin's REST API endpoint
- Sites where comment and post author data is queryable without authentication
Discovery Timeline
- 2026-05-20 - CVE-2026-7385 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-7385
Vulnerability Analysis
The Decent Comments plugin registers a REST API route that returns comment and post metadata. The endpoint includes author email fields in its response payload. The plugin does not check capabilities or authentication state before serving these fields. Any unauthenticated client can issue a request and receive email addresses associated with registered WordPress users.
WordPress treats user email addresses as private data restricted to administrators through the core REST API. The plugin bypasses that boundary by surfacing author emails through its own route. This produces a scope change because data governed by the authenticated WordPress security context leaks through the plugin's unauthenticated interface.
Exploitation requires no user interaction and no privileges. An attacker only needs network access to the WordPress site and knowledge of the plugin's endpoint path. Iterating across comments and posts yields a list of valid user email addresses tied to site roles.
Root Cause
The root cause is missing authorization on the REST API endpoint registered by the plugin. The permission_callback parameter either returns true unconditionally or is absent, allowing public access to data that should be limited to privileged users. Author email fields are included in the response object without filtering based on the requester's capabilities.
Attack Vector
Attackers send unauthenticated HTTP GET requests to the plugin's REST endpoint on a vulnerable WordPress site. The server returns JSON containing comment and post author email addresses. Attackers parse the response, aggregate addresses across pages, and feed the list into phishing or credential stuffing tooling. See the WPScan Vulnerability Report for technical details on the affected endpoint.
Detection Methods for CVE-2026-7385
Indicators of Compromise
- Unauthenticated GET requests to /wp-json/ routes registered by the Decent Comments plugin returning author email fields
- High-volume sequential REST API requests from a single source IP enumerating comments or posts
- Outbound phishing emails referencing addresses that match site author accounts
Detection Strategies
- Monitor web server access logs for repeated requests to plugin-specific REST routes containing decent or comments path segments
- Inspect REST API response bodies in staging environments to confirm whether author_email fields are returned to unauthenticated callers
- Correlate spikes in /wp-json/ traffic with the User-Agent strings of known enumeration tools such as wpscan
Monitoring Recommendations
- Enable WordPress audit logging for REST API requests, including source IP, route, and response size
- Forward web server and WordPress logs to a centralized SIEM for retention and correlation
- Alert on response payloads containing email patterns served from plugin endpoints without an authenticated session cookie
How to Mitigate CVE-2026-7385
Immediate Actions Required
- Update the Decent Comments plugin to version 3.0.2 or later on all WordPress sites
- Audit existing user email exposure by querying the plugin endpoint from an unauthenticated context and reviewing the response
- Reset credentials and enforce multi-factor authentication for any administrator accounts whose emails were exposed
Patch Information
Upgrade the Decent Comments plugin to version 3.0.2, which restricts the REST API endpoint to authorized requests and removes email fields from unauthenticated responses. Refer to the WPScan Vulnerability Report for the fixed version reference.
Workarounds
- Deactivate the Decent Comments plugin until the patched version can be installed
- Block unauthenticated access to /wp-json/ plugin routes at the web application firewall or reverse proxy layer
- Restrict REST API access by IP allowlist for sites that do not require public API consumers
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
