CVE-2025-5701

Name of the Vulnerable Software and Affected Versions HyperComments plugin for WordPress versions up to, and including, 1.2.2

Description The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc request handler function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site, which can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Recommendations For HyperComments plugin for WordPress versions up to, and including, 1.2.2: Update to a version higher than 1.2.2 to fix the missing capability check on the hc request handler function. As a temporary workaround, consider disabling the hc request handler function until a patch is available. Restrict access to the WordPress site's options update functionality to minimize the risk of exploitation.