← back
CVE-2025-13820

Comments – wpDiscuz < 7.6.40 - Unauthenticated Account Takeover

CVSS 5.3 MEDIUMEPSS 0.2%
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
01 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
Unknown · Comments