A critical Settings Change vulnerability has been identified in the Deeper Comments plugin. This vulnerability could allow a malicious actor to change the settings of  WordPress website, potentially giving them control of the website.

Jerome Bruandet discovered and reported this vulnerability.

This vulnerability is caused by a flaw in the way that the Deeper Comments plugin handles user input. The vulnerability allows an attacker to exploit a flaw in the plugin’s code to change the settings of the affected website.


Critical (CVSS 3.1 score of 8.8)

Affected Versions

All versions of the Deeper Comments plugin


If a malicious actor is able to exploit this vulnerability, they could:

  • Change the settings of your WordPress website, potentially giving them control of your website.
  • Install malicious plugins or themes on the website.
  • Steal data from the website, such as user information or passwords.
  • Deface your website.


Given the critical nature of this security vulnerability, user must take immediate action to secure the WordPress site:

  1. Temporary Deactivation: Consider temporarily deactivating the Deeper Comments Plugin until a patched version is made available by the developer.
  2. Monitor for Updates: Continuously check for updates to the Deeper Comments Plugin. Once a patched version is released, update the plugin as soon as possible.
  3. Patch Review: Upon the release of an update, ensure it includes a fix for the vulnerability you’re concerned about. Review the plugin’s changelog and release notes for information regarding security improvements.
  4. Alternative Plugins: Explore alternative comment-related plugins to replace Deeper Comments temporarily. Ensure any alternatives are reputable and actively maintained.