What is the CVSS score of CVE-2026-42749?

CVE-2026-42749 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H. EPSS exploitation probability: 0.1%.

Which versions of Disable Comments are affected by CVE-2026-42749?

Themeisle's 'Disable Comments for Any Post Types' WordPress plugin contains an authentication bypass vulnerability affecting versions through 1.3.0 that allows unauthorized account access through the…

Disable Comments CVE-2026-42749

Q: How to fix or mitigate CVE-2026-42749?

Within 24 hours: Conduct inventory of WordPress sites using comments-plus plugin version 1.3.0 or earlier and assess criticality of affected installations. Within 7 days: Disable comments-plus plugin on all affected sites; implement enhanced monitoring of authentication logs and password-recovery activities for signs of unauthorized access. Within 30 days: Evaluate alternative comment-management solutions and monitor Themeisle security advisories for patch availability; document remediation timeline for management review.

EUVD-2026-32198 HIGH

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

2026-05-27 audit@patchstack.com

GHSA-4x6f-959m-mvmq

Authentication Bypass

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 20:55 vuln.today

DescriptionNVD

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types (Remove comments): from n/a through <= 1.3.0.

AnalysisAI

Authentication bypass in Themeisle's 'Disable Comments for Any Post Types (Remove comments)' WordPress plugin (slug comments-plus), versions through 1.3.0, lets a low-privileged user abuse the password-recovery channel as an alternate authentication path. Classified CWE-288, the flaw carries a CVSS 7.1 with high availability impact and partial integrity impact. …

RemediationAI

Within 24 hours: Conduct inventory of WordPress sites using comments-plus plugin version 1.3.0 or earlier and assess criticality of affected installations. Within 7 days: Disable comments-plus plugin on all affected sites; implement enhanced monitoring of authentication logs and password-recovery activities for signs of unauthorized access. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42749 vulnerability details – vuln.today

Back