Skip to main content

Disable Comments EUVDEUVD-2026-32198

| CVE-2026-42749 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-27 audit@patchstack.com GHSA-4x6f-959m-mvmq
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:55 vuln.today

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types (Remove comments): from n/a through <= 1.3.0.

AnalysisAI

Authentication bypass in Themeisle's 'Disable Comments for Any Post Types (Remove comments)' WordPress plugin (slug comments-plus), versions through 1.3.0, lets a low-privileged user abuse the password-recovery channel as an alternate authentication path. Classified CWE-288, the flaw carries a CVSS 7.1 with high availability impact and partial integrity impact. There is no public exploit identified at time of analysis, and EPSS is very low (0.05%, 16th percentile), indicating no observed mass exploitation.

Technical ContextAI

The affected component is a WordPress plugin (comments-plus) authored by Themeisle that disables comment functionality across post types. The root cause is CWE-288, Authentication Bypass Using an Alternate Path or Channel: rather than failing closed on the primary auth path, the plugin exposes a secondary code path - here tied to password recovery - that can be reached to gain access or trigger privileged effects without satisfying normal authentication checks. In WordPress plugins this class of bug typically arises when a nonce/capability check is missing or misordered on an AJAX, REST, or recovery endpoint, letting the alternate channel bypass the intended gate. The CPE/affected-product data resolves to the WordPress plugin 'comments-plus' (Disable Comments for Any Post Types) up to and including 1.3.0; no formal CPE string was provided in the source data.

RemediationAI

No vendor-released patch identified at time of analysis - the source data lists affected versions through ≤1.3.0 but no fixed release. Monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/comments-plus/vulnerability/wordpress-disable-comments-for-any-post-types-remove-comments-plugin-1-3-0-broken-authentication-vulnerability?_s_id=cve) and the WordPress.org plugin page for a release above 1.3.0 and upgrade as soon as one is published. As compensating controls until then: because exploitation requires a low-privilege account (PR:L), tighten user registration and audit/limit existing low-privilege accounts to reduce the pool of potential attackers; restrict access to the plugin's recovery/AJAX/REST endpoints via a WAF or web-server rules (trade-off: rules must target the specific recovery path and may need tuning to avoid breaking legitimate password resets); and if the plugin is not essential, consider deactivating and removing it (trade-off: loss of comment-disabling functionality, which can usually be replaced by core WordPress discussion settings). Patchstack virtual patching (vPatch) may provide protection if you use that platform.

Share

EUVD-2026-32198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy