CVE-2025-13820 is a vulnerability identified in the WordPress Comments plugin versions prior to 7.6.40. The flaw arises from improper privilege management (CWE-269) related to user identity validation when the plugin is configured to use the disqus.com commenting provider. Specifically, the plugin fails to properly verify whether a user attempting to log in via Disqus actually owns the associated email address or has a valid Disqus account. This weakness allows an attacker who knows the email address of any WordPress user to impersonate that user and gain unauthorized access to their account on the WordPress site, even if the user has not registered on Disqus. The vulnerability can be exploited remotely without requiring any authentication or user interaction, increasing the risk of automated or large-scale attacks. The CVSS v3.1 base score is 5.3, reflecting a medium severity level primarily due to the confidentiality impact (unauthorized access to user accounts) without direct impact on data integrity or system availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to sites relying on the Comments plugin with Disqus integration. The root cause is the plugin's failure to properly validate user identity and privileges during the login process, violating secure authentication principles and allowing privilege escalation through identity spoofing.

For European organizations, this vulnerability could lead to unauthorized access to user accounts on WordPress sites using the vulnerable Comments plugin with Disqus integration. This unauthorized access compromises confidentiality by exposing user-specific data and potentially sensitive information accessible through the compromised accounts. Although the vulnerability does not directly affect data integrity or availability, attackers gaining access to user accounts could perform actions on behalf of those users, such as posting comments or accessing restricted content, which may indirectly impact trust and reputation. Organizations relying on WordPress for customer engagement, content management, or internal communications could face data breaches or user impersonation incidents. The risk is heightened for entities with large user bases or those in sectors where user identity and data privacy are critical, such as media, e-commerce, and public services. Additionally, the lack of authentication or user interaction requirements makes exploitation easier, increasing the likelihood of automated attacks targeting multiple users. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after vulnerability disclosure.

The primary mitigation is to update the WordPress Comments plugin to version 7.6.40 or later, where the vulnerability has been addressed by improving user identity validation when using the Disqus provider. Organizations should ensure that all WordPress plugins, especially those handling authentication or third-party integrations, are kept up to date with security patches. Additionally, review and audit authentication flows involving third-party providers like Disqus to confirm that proper validation and privilege checks are enforced. Implement monitoring and alerting for unusual login activities or account access patterns that could indicate exploitation attempts. Consider restricting login attempts or adding multi-factor authentication (MFA) at the WordPress site level to reduce the impact of compromised credentials. For sites where immediate patching is not feasible, temporarily disabling Disqus integration or switching to alternative commenting systems can reduce exposure. Finally, educate site administrators about the risks of third-party authentication integrations and the importance of timely updates.