A critical authentication bypass CVE-2026-4119 Create DB Tables vulnerability vulnerability has been discovered in the Comments WordPress plugin, specifically in its integration with the Disqus.com authentication provider. Tracked as CVE-2025-13820 with a CVSS score of 5.3 (Medium), this flaw affects all versions before 7.6.40 and allows an attacker to log in as any user by exploiting the Disqus.com authentication provider integration. The Comments plugin, better known as wpDiscuz, is one of the most popular WordPress commenting systems with over 60,000 active installations.
wpDiscuz provides a modern, AJAX-powered comment system that replaces the default WordPress commenting experience. It includes features like real-time comment updates, multiple comment layouts, social login integration, comment attachments, and advanced moderation tools. The Disqus login integration allows users to authenticate using their existing Disqus accounts, which was intended to reduce friction for commenters who prefer not to create a WordPress-specific account. However, the way this integration validates user identity contains a critical flaw.
The vulnerability was responsibly disclosed through the WordPress plugin vulnerability disclosure process. When the plugin developers at gVectors received the report, they moved quickly to understand the issue and develop a fix. The patch was released in version 7.6.40, and all users running earlier versions are urged to update immediately.
CVE-2026-4124 comments authentication bypass: The Vulnerability in Detail
The Comments plugin allows users to log in through the Disqus.com provider as an alternative to WordPress native authentication. The plugin version 7.6.40 and earlier fails to properly validate the user’s identity when using Disqus login. An attacker who knows a victim’s email address can authenticate as that user without knowing their password.
This is a severe vulnerability because it bypasses password authentication entirely. The attacker does not need to guess, brute-force, or phish credentials. Knowing the email address is sufficient to take over the account, including admin accounts if the attacker knows the admin’s email. The vulnerability exists in the oAuth callback handler where the plugin processes the identity assertion returned by Disqus. Instead of cryptographically verifying that the identity token was genuinely issued by Disqus for the intended user, the plugin accepts the asserted identity at face value under certain conditions.
The specific technical issue involves insufficient validation of the user identity data returned by Disqus’s oAuth flow. When a user authenticates through Disqus, the service returns a set of claims about the user including their email address and a unique identifier. The plugin uses this email to look up or create a WordPress user account. However, an attacker can craft a request that mimics the Disqus callback response, substituting their target’s email address. Since the plugin does not adequately verify the authenticity of the callback response, it creates a session for the WordPress account matching that email.
CVE-2026-4124 comments authentication bypass: Impact Analysis
The CVSS score of 5.3 may seem low for what is effectively a complete authentication bypass. The medium score takes into account that the attacker needs to know the target’s email address, which limits the pool of exploitable targets on any given site. However, in practice, email addresses are not difficult to obtain. WordPress user directories, author archives, and comment sections often expose usernames and email addresses. On a membership site or a site with publicly listed staff or contributors, the admin email address may be readily discoverable.
- CVSS Score: 5.3 (Medium)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low (limited to information accessible to the compromised account)
- Integrity Impact: Low (limited to actions the compromised account can perform)
- Availability Impact: None
- Affected Versions: Comments plugin before version 7.6.40
Once authenticated, the attacker can perform any action that their target user role allows. If the target is an administrator, the attacker gains full control over the WordPress installation, including plugin installation, theme modification, user management, and content editing. The attacker can install backdoor plugins, modify active theme files to inject malicious code, create new admin accounts for persistent access, and exfiltrate the user database containing password hashes and personal information.
For sites with multiple administrators or editors, the attacker can use the compromised account to perform actions that appear to come from a legitimate user. This makes forensic analysis more difficult because the malicious actions blend in with legitimate administrative activity. Without proper activity logging, site owners may not realize they have been compromised until significant damage has occurred.
Who Is at Risk
Any WordPress site running the Comments plugin with Disqus.com login enabled is at risk. Even if you do not personally use Disqus login, if the plugin is active with the feature available, the vulnerability exists. Site owners should check whether the Disqus authentication provider is enabled in their Comments plugin settings. The risk is particularly high for sites with multiple user accounts, membership sites, e-commerce stores, or any WordPress installation where user accounts carry privileges beyond simple commenting.
Sites with publicly listed team members or authors are especially vulnerable because email addresses or usernames are often displayed on author archive pages. An attacker can scrape these pages to build a list of potential targets and then attempt authentication bypass against each one. The attacker has a high probability of success against any account where they can determine the associated email address.
It is important to note that the vulnerability exists in the plugin code itself, not in the Disqus service. Even if you trust Disqus as a service provider, the way the plugin handles the authentication handshake introduces the security gap. Updating the plugin fixes the issue regardless of which social login providers you have enabled.
Detecting Authentication Bypass Attacks
Detecting authentication bypass attacks requires monitoring user login patterns and watching for anomalies. Common indicators of this attack include logins from unusual IP addresses for a given user account, multiple login events for the same account in rapid succession, logins that do not correspond to known password reset or session activity, and logins via the Disqus provider from users who normally authenticate through WordPress native login.
WordPress security plugins with user activity monitoring can help detect these patterns. Trusti Security’s Activity Logging module tracks all user authentication events, including the authentication method used, the IP address, and the user agent. Reviewing these logs regularly can reveal suspicious login patterns that indicate an authentication bypass attack in progress. The module also supports real-time alerts that notify site administrators immediately when an admin-level user authenticates through a non-standard provider.
In addition to activity logging, Trusti Security’s User Role Management features allow you to restrict which authentication methods each user role can use. By disabling Disqus login for administrator and editor roles while leaving it available for subscribers and commenters, you can reduce the blast radius of this vulnerability even before you apply the plugin update.
Protecting Your Site Against Authentication Bypass
The most important step is updating the Comments plugin to version 7.6.40 or later. This version includes the fix for CVE-2025-13820 with proper validation of the Disqus authentication callback. If for any reason you cannot update immediately, consider disabling the Disqus login feature in the plugin settings as a temporary mitigation.
Beyond the immediate fix, site owners should implement layered authentication security. Two-Factor Authentication (2FA) adds a second verification step that would block this attack even if the authentication bypass is successful. An attacker who bypasses the password check would still need to provide the 2FA code. Trusti Security’s Brute Force Protection module includes 2FA support for all user roles.
Enable Two-Factor Authentication (2FA) and use Trusti Security’s Brute Force Protection to add additional layers of security. While these measures would not directly block this vulnerability since it bypasses passwords entirely, they add defense in depth by requiring a second factor even after authentication. In practice, this means that even if an attacker successfully exploits CVE-2025-13820, they would be blocked at the 2FA stage.
Regular security audits are also essential. Scan your WordPress installation for outdated plugins, test authentication flows, and review user accounts for unauthorized access or privilege escalation. Trusti Security’s Vulnerability Scanner automatically checks all installed plugins against the CVE database and alerts you when updates are available.
The Comments plugin is available on WordPress.org at wordpress.org/plugins/comments/. The fix was released in version 7.6.40. Update immediately if you are running an older version.