CVE-2025-13820

Step 1: Target Selection: The attacker identifies a WordPress website using the vulnerable Comments plugin and determines the target user's email address (e.g., an administrator). Step 2: Disqus Account Creation (Optional): If the target user doesn't have a Disqus account, the attacker doesn't need to create one. The vulnerability allows for the creation of an account on the fly. Step 3: Login Attempt: The attacker initiates a login attempt through the Comments plugin's Disqus integration, providing the target user's email address. Step 4: Authentication Bypass: The plugin, due to the vulnerability, trusts the provided email address without proper validation against the Disqus service. Step 5: Account Creation/Login: The plugin either creates a new Disqus account associated with the target email (if one doesn't exist) or logs the attacker in as the target user. Step 6: Privilege Escalation: The attacker now has access to the WordPress account associated with the target email, allowing them to perform actions based on the user's role (e.g., administrator access).

The vulnerability stems from insufficient user identity validation within the Comments plugin when handling Disqus authentication. The plugin fails to properly verify the user's identity against the Disqus service before allowing a login. Specifically, the plugin trusts the email address provided by the user, and if the email address doesn't exist on Disqus, the plugin creates a new Disqus account for the user, effectively allowing an attacker to create an account with any email address and then log in as the WordPress user associated with that email. The root cause is a missing or inadequate check on the Disqus side to verify the user's identity, coupled with the plugin's trust in the client-supplied email address, leading to an authentication bypass.