CVE-2026-7385 Decent Comments CVE debrief

Who should care

WordPress site owners, administrators, and security teams should care if the Decent Comments plugin is installed, especially on public-facing sites where user email privacy matters.

Technical summary

The supplied source corpus states that versions before 3.0.2 of the Decent Comments WordPress plugin expose comment author email addresses and post author email addresses via a REST API endpoint without access restrictions. Because the endpoint can be reached without authentication, an attacker can enumerate registered user email addresses. The NVD source item marks the CVE as Deferred and references the WPScan advisory.

Defensive priority

Medium priority: patch promptly if Decent Comments is installed, particularly on internet-facing WordPress sites.

Recommended defensive actions

• Upgrade Decent Comments to version 3.0.2 or later if installed.
• Inventory WordPress sites to confirm whether the Decent Comments plugin is present and in use.
• Review REST API exposure on affected sites and verify that no sensitive fields are unnecessarily returned.
• Treat exposed email addresses as sensitive data and monitor for abuse such as unsolicited enumeration or scraping.
• If immediate upgrading is not possible, consider temporarily disabling or restricting the plugin on public sites until remediation is complete.

Evidence notes

The CVE description supplied in the corpus states that Decent Comments WordPress plugin versions before 3.0.2 do not restrict access to comment author email addresses and post author email addresses via a REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses. The NVD source item marks the record as Deferred and includes a WPScan advisory reference. No additional affected-product details beyond the supplied plugin name and version boundary were used.

Official resources