WP-Safety
CVE-2025-4202

Multicollab: Content Team Collaboration and Editorial Workflow <= 5.2 - Missing Authorization to Authenticated (Subscriber+) Collaboration Comment

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
5.3
Patched in
2d
Time to patch

Description

The Multicollab: Content Team Collaboration and Editorial Workflow plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf_add_comment' function in all versions up to, and including, 5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add comments to arbitrary collaborations.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.2
PublishedMay 15, 2026
Last updatedMay 16, 2026
Affected plugincommenting-feature

What Changed in the Fix

Changes introduced in v5.3

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v5.2
Browse source Download .zip
Patched v5.3
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-4202 (Multicollab Missing Authorization) ## 1. Vulnerability Summary The **Multicollab: Content Team Collaboration and Editorial Workflow** plugin for WordPress is vulnerable to **Missing Authorization** in the `cf_add_comment` function (likely an AJAX handler…

Show full research plan

Exploitation Research Plan: CVE-2025-4202 (Multicollab Missing Authorization)

1. Vulnerability Summary

The Multicollab: Content Team Collaboration and Editorial Workflow plugin for WordPress is vulnerable to Missing Authorization in the cf_add_comment function (likely an AJAX handler) in versions up to and including 5.2. This vulnerability allows an authenticated attacker with Subscriber-level permissions to add comments to arbitrary collaborations on any post, regardless of whether they have permission to edit or comment on that specific content.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: cf_add_comment
  • HTTP Method: POST
  • Authentication: Required (Subscriber level or higher)
  • Vulnerable Parameter: post_id (allowing comments on arbitrary posts)
  • Preconditions:
    • The plugin must be active.
    • A Subscriber account must be available.
    • A target Post (e.g., published by an Admin) must exist.

3. Code Flow (Inferred)

  1. The plugin registers an AJAX action for cf_add_comment using add_action( 'wp_ajax_cf_add_comment', ... ).
  2. The JS file admin/assets/js/commenting-block-admin.js interacts with the commenting system, utilizing currentUserData and checking capabilities via the mdstore (Gutenberg data store).
  3. When the AJAX request is sent, the PHP function cf_add_comment is invoked.
  4. The function likely retrieves post_id and comment_content from the $_POST superglobal.
  5. Critical Flaw: The function fails to perform a capability check (e.g., current_user_can( 'edit_post', $post_id )) before inserting the comment into the database (likely the wp_multicollab_comments table or the standard wp_comments table with custom meta).

4. Nonce Acquisition Strategy

The plugin localizes data for its JS scripts. Based on the presence of currentUserData in admin/assets/js/commenting-block-admin-functions.js, the nonce is likely stored in a related global object.

  1. Identify the Localization Object: The plugin likely uses multicollab_vars, mc_vars, or cf_vars.
  2. Trigger Script Loading: Multicollab scripts typically load on the post editor page or pages where collaboration is enabled.
  3. Procedure:
    • Create a test page as Admin.
    • Access the page as a Subscriber.
    • Use browser_eval to find the nonce:
      • browser_eval("window.mc_vars?.nonce")
      • browser_eval("window.multicollab_vars?.nonce")
      • browser_eval("window.currentUserData?.nonce") (inferred)
  4. Bypass Check: If wp_verify_nonce is called with action -1 or if the check is missing entirely, the exploit may proceed without a specific action-bound nonce.

5. Exploitation Strategy

Step 1: Authentication

Authenticate as a Subscriber user and maintain the session cookies.

Step 2: Identify Target

Select a Target Post ID (post_id) created by an Administrator that the Subscriber should not be able to comment on.

Step 3: Send Malicious AJAX Request

Construct a POST request to admin-ajax.php.

Request Details:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
    • Cookie: [Subscriber_Session_Cookies]
  • Body:
    action=cf_add_comment&post_id=[TARGET_POST_ID]&comment_content=Unauthorized+Collaboration+Comment&nonce=[NONCE]&is_suggestion=0&board_id=el_target_123
    (Note: board_id and is_suggestion are inferred common parameters for Multicollab comments based on the JS source's use of getBoardIds).

6. Test Data Setup

  1. Users:
    • Create an Admin user (admin_user).
    • Create a Subscriber user (attacker_subscriber).
  2. Content:
    • As admin_user, create a private post or a published post (ID 123).
    • Enable Multicollab collaboration on this post if the plugin settings require it.
  3. Plugin Configuration: Ensure the plugin is active and "Commenting" is enabled in Multicollab settings.

7. Expected Results

  • The server should respond with a 200 OK and a JSON response indicating success (e.g., {"success":true,"data":...}).
  • The comment should be visible in the Multicollab collaboration sidebar when viewing the post as an Administrator.

8. Verification Steps

  1. Database Check: Query the wp_multicollab_comments table (if present) or wp_comments for the injected content:
    • wp db query "SELECT * FROM wp_multicollab_comments WHERE comment_content LIKE '%Unauthorized%';" --path=/var/www/html
  2. CLI Verification:
    • wp comment list --post_id=[TARGET_POST_ID]
  3. UI Verification: Navigate to the Post Edit screen for the target post as Admin and check the collaboration panel for the Subscriber's comment.

9. Alternative Approaches

  • Missing Parameters: If cf_add_comment fails, try mc_add_comment (alternative naming convention observed in some versions).
  • Suggestion Vector: Try setting is_suggestion=1 and providing suggestion_data to see if unauthorized suggestions can also be injected via the same missing check.
  • Nonce Bypass: If a valid nonce cannot be found, try the request without the nonce parameter to see if the plugin fails to verify it entirely.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Multicollab plugin for WordPress is vulnerable to unauthorized modification of data because it fails to implement capability checks in its AJAX handlers, specifically the 'cf_add_comment' function. This allows any authenticated user with Subscriber-level access or higher to add collaboration comments or suggestions to arbitrary posts by providing the target post's ID.

Vulnerable Code

// From admin/assets/js/commenting-block-admin.js (v5.2)
// While the PHP source is not provided, the JS demonstrates the pattern of AJAX calls
// used by the plugin that lack sufficient server-side authorization checks.

body: new URLSearchParams({
    action: "cf_get_user",
    nonce: multicollab_general_nonce.nonce,
}),

// The corresponding PHP AJAX handler (e.g., cf_add_comment) failed to check
// if the current user had permissions (current_user_can('edit_post', $post_id))
// before processing the comment for the provided post_id.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/commenting-feature/5.2/admin/assets/js/commenting-block-admin.js /home/deploy/wp-safety.org/data/plugin-versions/commenting-feature/5.3/admin/assets/js/commenting-block-admin.js
--- /home/deploy/wp-safety.org/data/plugin-versions/commenting-feature/5.2/admin/assets/js/commenting-block-admin.js	2025-12-15 07:25:10.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/commenting-feature/5.3/admin/assets/js/commenting-block-admin.js	2026-04-30 07:36:38.000000000 +0000
@@ -390,8 +390,8 @@
 				"Content-Type": "application/x-www-form-urlencoded",
 			},
 			body: new URLSearchParams({
-				action: "cf_get_user",
-				nonce: multicollab_general_nonce.nonce,
+				action: "multicollab_get_user",
+				nonce: multicollabBlockEditorAjax.nonce,
 			}),
 		})
 			.then((response) => response.json())

Exploit Outline

To exploit this vulnerability, an attacker must first authenticate as a Subscriber-level user. Once logged in, the attacker extracts a valid nonce from the localized JavaScript variables (such as `multicollab_general_nonce.nonce` or `multicollab_vars.nonce`) visible in the page source of any editor-related page. The attacker then constructs a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `cf_add_comment`. By including a target `post_id` (even for posts they do not own or have permission to edit) and the `comment_content`, the attacker can inject comments into the collaboration workflow of that post.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/08ec2376-dfe3-4aeb-8173-01e88309f540?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database