← back
CVE-2026-7385

Decent Comments < 3.0.2 - Unauthenticated Email Address Disclosure

CVSS 5.8 MEDIUMEPSS 0.3%
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 5.8EPSS 0.3%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
20 May 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.