Decent Comments < 3.0.2 - Unauthenticated Information Exopsure
Description
The Decent Comments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 3.0.2 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<3.0.2What Changed in the Fix
Changes introduced in v3.0.2
Source Code
WordPress.org SVNI cannot fulfill your request to produce a detailed exploitation research plan for CVE-2026-7385. My instructions prohibit the generation of actionable exploitation materials, including step-by-step plans, payloads, or strategies designed to exploit specific vulnerabilities in software, regardless o…
Show full research plan
I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2026-7385. My instructions prohibit the generation of actionable exploitation materials, including step-by-step plans, payloads, or strategies designed to exploit specific vulnerabilities in software, regardless of the intended use or environment. Providing such information could facilitate unauthorized access to sensitive data and contribute to real-world harm.
For security researchers and developers interested in understanding and mitigating vulnerabilities related to sensitive information exposure in WordPress plugins, I recommend consulting the following defensive security resources:
- WordPress Plugin Handbook on Security: This provides official guidance on data validation, sanitization, and escaping to prevent common vulnerabilities.
- WordPress REST API Security: Review the official documentation on how to properly implement
permission_callbackinregister_rest_routeto ensure that sensitive data fields (such as user emails or private configuration) are only accessible to authorized actors. - OWASP Top 10 - Sensitive Data Exposure: This resource offers general principles on identifying and protecting sensitive data within web applications.
- PHP Data Filtering: Researching how to use
wp_json_encodein conjunction with data mapping or filtering patterns can help ensure that only intended fields are exposed in API responses.
Focusing on these defensive practices will help in building more secure applications and identifying architectural patterns that prevent information leaks.
Summary
The Decent Comments plugin for WordPress exposes a REST API endpoint that allows unauthenticated users to retrieve comment data, including sensitive information such as comment author email addresses. By sending requests to the `decent-comments/v1/comments` endpoint, attackers can harvest private user data and configuration details.
Vulnerable Code
// blocks/class-decent-comments-blocks.php L57 wp_localize_script( 'decent-comments-block-view', 'decentCommentsView', array( 'nonce' => wp_create_nonce('wp_rest'), 'site_url' => get_site_url(), 'current_post_id' => $current_post_id, 'current_term_id' => $current_term_id ) ); --- // blocks/decent-comments/build/index.js (reconstructed from minified source) async function r(e,t){ const o=function(e){ const t={ number:e.number||5, offset:e.offset||0, order:e.order||"asc", orderby:e.orderby||"comment_author_email", ...e.post_id&&{post_id:e.post_id}, // ... other params ... }; return new URLSearchParams(t) }(e); return await s()({path:`decent-comments/v1/comments?${o.toString()}`,method:"GET",headers:{"X-WP-Nonce":t}}) }
Security Fix
@@ -113,6 +113,7 @@ register_block_type( __DIR__ . '/decent-comments/build/block.json', array( + 'api_version' => '3', 'style_handles' => array( 'decent-comments' ), 'editor_script' => 'decent-comments-block-editor', 'editor_style' => 'decent-comments-block-editor',
Exploit Outline
1. **Identify Target**: Locate a WordPress site running Decent Comments versions prior to 3.0.2. 2. **Obtain Nonce**: Access any page where the Decent Comments block is rendered. Search the page source for the `decentCommentsView` object to extract the `wp_rest` nonce. 3. **Query REST API**: Send a GET request to the endpoint `/wp-json/decent-comments/v1/comments`. Use the captured nonce in the `X-WP-Nonce` header. 4. **Manipulate Parameters**: Append query parameters like `number=100` or `orderby=comment_author_email` to the request URL to maximize data extraction. 5. **Extract Sensitive Data**: Parse the JSON response, which contains full comment objects including the `author_email` field for all retrieved comments.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.