CVE-2026-7385
MEDIUM 5.8 PoC AVAILABLEThe Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.
EXPLOIT AVAILABLE
Public exploit or PoC code exists. Modeled probability is still low, but the barrier to attack is reduced — watch closely.
Exploitation likelihood
0.3%chance of exploitation in 30 days · 19th percentile
○ In CISA KEV
● Public exploit / PoC
Impact if exploited
5.8CVSS 3.1 · MEDIUM
- ConfidentialityLow
- IntegrityNone
- AvailabilityNone
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Proof of concept & exploit code
Listed for defensive triage and patch prioritization.
Weakness (CWE)
Not classified.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N