Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types (Remove comments): from n/a through <= 1.3.0.
AnalysisAI
Authentication bypass in Themeisle's 'Disable Comments for Any Post Types (Remove comments)' WordPress plugin (slug comments-plus), versions through 1.3.0, lets a low-privileged user abuse the password-recovery channel as an alternate authentication path. Classified CWE-288, the flaw carries a CVSS 7.1 with high availability impact and partial integrity impact. There is no public exploit identified at time of analysis, and EPSS is very low (0.05%, 16th percentile), indicating no observed mass exploitation.
Technical ContextAI
The affected component is a WordPress plugin (comments-plus) authored by Themeisle that disables comment functionality across post types. The root cause is CWE-288, Authentication Bypass Using an Alternate Path or Channel: rather than failing closed on the primary auth path, the plugin exposes a secondary code path - here tied to password recovery - that can be reached to gain access or trigger privileged effects without satisfying normal authentication checks. In WordPress plugins this class of bug typically arises when a nonce/capability check is missing or misordered on an AJAX, REST, or recovery endpoint, letting the alternate channel bypass the intended gate. The CPE/affected-product data resolves to the WordPress plugin 'comments-plus' (Disable Comments for Any Post Types) up to and including 1.3.0; no formal CPE string was provided in the source data.
RemediationAI
No vendor-released patch identified at time of analysis - the source data lists affected versions through ≤1.3.0 but no fixed release. Monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/comments-plus/vulnerability/wordpress-disable-comments-for-any-post-types-remove-comments-plugin-1-3-0-broken-authentication-vulnerability?_s_id=cve) and the WordPress.org plugin page for a release above 1.3.0 and upgrade as soon as one is published. As compensating controls until then: because exploitation requires a low-privilege account (PR:L), tighten user registration and audit/limit existing low-privilege accounts to reduce the pool of potential attackers; restrict access to the plugin's recovery/AJAX/REST endpoints via a WAF or web-server rules (trade-off: rules must target the specific recovery path and may need tuning to avoid breaking legitimate password resets); and if the plugin is not essential, consider deactivating and removing it (trade-off: loss of comment-disabling functionality, which can usually be replaced by core WordPress discussion settings). Patchstack virtual patching (vPatch) may provide protection if you use that platform.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32198
GHSA-4x6f-959m-mvmq