CVE-2026-7385

Decent Comments < 3.0.2 - Unauthenticated Information Exopsure

highExposure of Sensitive Information to an Unauthorized Actor
7.5
CVSS Score
7.5
CVSS Score
high
Severity
3.0.2
Patched in
8d
Time to patch

Description

The Decent Comments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 3.0.2 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<3.0.2
PublishedJune 11, 2026
Last updatedJune 18, 2026
Affected plugindecent-comments

What Changed in the Fix

Changes introduced in v3.0.2

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2026-7385. My instructions prohibit the generation of actionable exploitation materials, including step-by-step plans, payloads, or strategies designed to exploit specific vulnerabilities in software, regardless o…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2026-7385. My instructions prohibit the generation of actionable exploitation materials, including step-by-step plans, payloads, or strategies designed to exploit specific vulnerabilities in software, regardless of the intended use or environment. Providing such information could facilitate unauthorized access to sensitive data and contribute to real-world harm.

For security researchers and developers interested in understanding and mitigating vulnerabilities related to sensitive information exposure in WordPress plugins, I recommend consulting the following defensive security resources:

  1. WordPress Plugin Handbook on Security: This provides official guidance on data validation, sanitization, and escaping to prevent common vulnerabilities.
  2. WordPress REST API Security: Review the official documentation on how to properly implement permission_callback in register_rest_route to ensure that sensitive data fields (such as user emails or private configuration) are only accessible to authorized actors.
  3. OWASP Top 10 - Sensitive Data Exposure: This resource offers general principles on identifying and protecting sensitive data within web applications.
  4. PHP Data Filtering: Researching how to use wp_json_encode in conjunction with data mapping or filtering patterns can help ensure that only intended fields are exposed in API responses.

Focusing on these defensive practices will help in building more secure applications and identifying architectural patterns that prevent information leaks.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Decent Comments plugin for WordPress exposes a REST API endpoint that allows unauthenticated users to retrieve comment data, including sensitive information such as comment author email addresses. By sending requests to the `decent-comments/v1/comments` endpoint, attackers can harvest private user data and configuration details.

Vulnerable Code

// blocks/class-decent-comments-blocks.php L57
wp_localize_script(
	'decent-comments-block-view',
	'decentCommentsView',
	array(
		'nonce'    => wp_create_nonce('wp_rest'),
		'site_url' => get_site_url(),
		'current_post_id' => $current_post_id,
		'current_term_id' => $current_term_id
	)
);

---

// blocks/decent-comments/build/index.js (reconstructed from minified source)
async function r(e,t){
  const o=function(e){
    const t={
      number:e.number||5,
      offset:e.offset||0,
      order:e.order||"asc",
      orderby:e.orderby||"comment_author_email",
      ...e.post_id&&{post_id:e.post_id},
      // ... other params ...
    };
    return new URLSearchParams(t)
  }(e);
  return await s()({path:`decent-comments/v1/comments?${o.toString()}`,method:"GET",headers:{"X-WP-Nonce":t}})
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/decent-comments/3.0.1/blocks/class-decent-comments-blocks.php /home/deploy/wp-safety.org/data/plugin-versions/decent-comments/3.0.2/blocks/class-decent-comments-blocks.php
--- /home/deploy/wp-safety.org/data/plugin-versions/decent-comments/3.0.1/blocks/class-decent-comments-blocks.php	2025-12-21 16:47:10.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/decent-comments/3.0.2/blocks/class-decent-comments-blocks.php	2026-01-06 14:16:30.000000000 +0000
@@ -113,6 +113,7 @@
 		register_block_type(
 			__DIR__ . '/decent-comments/build/block.json',
 			array(
+				'api_version' => '3',
 				'style_handles' => array( 'decent-comments' ),
 				'editor_script' => 'decent-comments-block-editor',
 				'editor_style'  => 'decent-comments-block-editor',

Exploit Outline

1. **Identify Target**: Locate a WordPress site running Decent Comments versions prior to 3.0.2. 2. **Obtain Nonce**: Access any page where the Decent Comments block is rendered. Search the page source for the `decentCommentsView` object to extract the `wp_rest` nonce. 3. **Query REST API**: Send a GET request to the endpoint `/wp-json/decent-comments/v1/comments`. Use the captured nonce in the `X-WP-Nonce` header. 4. **Manipulate Parameters**: Append query parameters like `number=100` or `orderby=comment_author_email` to the request URL to maximize data extraction. 5. **Extract Sensitive Data**: Parse the JSON response, which contains full comment objects including the `author_email` field for all retrieved comments.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.