A critical privilege escalation vulnerability in the HyperComments plugin allows unauthenticated attackers to gain administrative access by modifying site registration settings.

The plugin fails to perform necessary capability checks on the hc_request_handler function. This flaw allows unauthenticated attackers to update arbitrary WordPress configuration options, such as enabling user registration and changing the default registration role to "administrator."

This vulnerability enables unauthenticated remote attackers to gain full administrative access to the affected WordPress installation. Given the CVSS score of 8.8 and the ease of exploitation, this poses an extreme risk of total site compromise, including data exfiltration and the installation of malicious backdoors.

Immediate Action: Immediately update the HyperComments plugin to the latest patched version.

Proactive Monitoring: Audit site settings for unauthorized changes to user registration roles and monitor access logs for suspicious requests to the hc_request_handler function.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block unauthorized requests attempting to modify sensitive WordPress settings.

Public Exploit Available: true

The existence of a public exploit significantly elevates the risk associated with this vulnerability. Administrators must apply the security update immediately and audit their site configuration to ensure that registration settings have not been tampered with by unauthorized parties.