Comments – wpDiscuz < 7.6.40 – Unauthenticated Account Takeover | CVE 2025-13820

Description

The plugin does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.

Proof of Concept

## Requirements
-  disqus login provider enabled and configured (/wp-admin/admin.php?page=wpdiscuz_options_page&wpd_tab=social, fill the Public/Secret Keys with legitimate Disqus ones by creating an account with an email address different than the blog admin one)
- Comments – wpDiscuz widget embed in any post/page.
- Anyone can register core settings enabled (/wp-admin/options-general.php)
- The attacked user does not have an account on Disqus.com already

## Attack:
- In incognito mode, create an account on `disqus.com` using the administrator’s email address from the target site.
- Access the post/page with a Comments – wpDiscuz widget is embed and log in using the Disqus provider ("Connect with D" option).
- You will be authenticated directly into the administrator’s account.

Link to demonstration video: https://youtu.be/1IgMvb7hH4M

Formatted report: https://doc.clickup.com/9011113249/d/h/8chnb91-10231/9a61a5591d8e61a