Comments – wpDiscuz < 7.6.40 - Unauthenticated Account Takeover

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.

Basic Information

ID CVE-2025-13820

Source WPScan

Published Jan 1, 2026 at 06:00

Modified Jan 5, 2026 at 19:57

Affected Product

Vendor Unknown

Product Comments

Affected Versions Unknown Comments 0

CWE Classification

References

wpscan.com /vulnerability/21bc9b41-a967-42dc-9916-bb993b05709c/

{
    "lastseen": "",
    "description": "The Comments  WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.",
    "published": "2026-01-01T06:00:03.091Z",
    "modified": "2026-01-05T19:57:21.990Z",
    "type": "cve",
    "title": "Comments \u2013 wpDiscuz < 7.6.40 - Unauthenticated Account Takeover",
    "source": "WPScan",
    "references": "https://wpscan.com/vulnerability/21bc9b41-a967-42dc-9916-bb993b05709c/",
    "id": "CVE-2025-13820",
    "bulletinFamily": "",
    "cwe": [
        ""
    ],
    "cvelist": null,
    "sourceData": "Unknown Comments 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Comments",
    "version": "0",
    "vendor": "Unknown",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Comments – wpDiscuz < 7.6.40 - Unauthenticated Account Takeover_CVE-2025-13820