[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMi7IFnTEC01a77YE3pKGBVGpbIArGEsqwwfPeBoIJAE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2025-4202","multicollab-content-team-collaboration-and-editorial-workflow-missing-authorization-to-authenticated-subscriber-collabor","Multicollab: Content Team Collaboration and Editorial Workflow \u003C= 5.2 - Missing Authorization to Authenticated (Subscriber+) Collaboration Comment","The Multicollab: Content Team Collaboration and Editorial Workflow plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf_add_comment' function in all versions up to, and including, 5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add comments to arbitrary collaborations.","commenting-feature",null,"\u003C=5.2","5.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-15 00:00:00","2026-05-16 12:30:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F08ec2376-dfe3-4aeb-8173-01e88309f540?source=api-prod",2,[22,23,24,25,26,27,28],"admin\u002Fassets\u002Fcss\u002Findex.php","admin\u002Fassets\u002Fjs\u002Fcommenting-block-admin-functions.js","admin\u002Fassets\u002Fjs\u002Fcommenting-block-admin-upgrade-pro-modal.js","admin\u002Fassets\u002Fjs\u002Fcommenting-block-admin.js","admin\u002Fassets\u002Fjs\u002Fcommenting-block-qmNotice.js","admin\u002Fassets\u002Fjs\u002Fdist\u002FactivityCentre.build.min.js","admin\u002Fassets\u002Fjs\u002Fdist\u002Fblock.build.min.js","researched",false,3,"# Exploitation Research Plan: CVE-2025-4202 (Multicollab Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **Multicollab: Content Team Collaboration and Editorial Workflow** plugin for WordPress is vulnerable to **Missing Authorization** in the `cf_add_comment` function (likely an AJAX handler) in versions up to and including 5.2. This vulnerability allows an authenticated attacker with Subscriber-level permissions to add comments to arbitrary collaborations on any post, regardless of whether they have permission to edit or comment on that specific content.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `cf_add_comment`\n- **HTTP Method**: `POST`\n- **Authentication**: Required (Subscriber level or higher)\n- **Vulnerable Parameter**: `post_id` (allowing comments on arbitrary posts)\n- **Preconditions**:\n    - The plugin must be active.\n    - A Subscriber account must be available.\n    - A target Post (e.g., published by an Admin) must exist.\n\n## 3. Code Flow (Inferred)\n1.  The plugin registers an AJAX action for `cf_add_comment` using `add_action( 'wp_ajax_cf_add_comment', ... )`.\n2.  The JS file `admin\u002Fassets\u002Fjs\u002Fcommenting-block-admin.js` interacts with the commenting system, utilizing `currentUserData` and checking capabilities via the `mdstore` (Gutenberg data store).\n3.  When the AJAX request is sent, the PHP function `cf_add_comment` is invoked.\n4.  The function likely retrieves `post_id` and `comment_content` from the `$_POST` superglobal.\n5.  **Critical Flaw**: The function fails to perform a capability check (e.g., `current_user_can( 'edit_post', $post_id )`) before inserting the comment into the database (likely the `wp_multicollab_comments` table or the standard `wp_comments` table with custom meta).\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes data for its JS scripts. Based on the presence of `currentUserData` in `admin\u002Fassets\u002Fjs\u002Fcommenting-block-admin-functions.js`, the nonce is likely stored in a related global object.\n\n1.  **Identify the Localization Object**: The plugin likely uses `multicollab_vars`, `mc_vars`, or `cf_vars`.\n2.  **Trigger Script Loading**: Multicollab scripts typically load on the post editor page or pages where collaboration is enabled.\n3.  **Procedure**:\n    - Create a test page as Admin.\n    - Access the page as a Subscriber.\n    - Use `browser_eval` to find the nonce:\n        - `browser_eval(\"window.mc_vars?.nonce\")`\n        - `browser_eval(\"window.multicollab_vars?.nonce\")`\n        - `browser_eval(\"window.currentUserData?.nonce\")` (inferred)\n4.  **Bypass Check**: If `wp_verify_nonce` is called with action `-1` or if the check is missing entirely, the exploit may proceed without a specific action-bound nonce.\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication\nAuthenticate as a Subscriber user and maintain the session cookies.\n\n### Step 2: Identify Target\nSelect a Target Post ID (`post_id`) created by an Administrator that the Subscriber should not be able to comment on.\n\n### Step 3: Send Malicious AJAX Request\nConstruct a POST request to `admin-ajax.php`.\n\n**Request Details**:\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**:\n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n    - `Cookie: [Subscriber_Session_Cookies]`\n- **Body**:\n    ```text\n    action=cf_add_comment&post_id=[TARGET_POST_ID]&comment_content=Unauthorized+Collaboration+Comment&nonce=[NONCE]&is_suggestion=0&board_id=el_target_123\n    ```\n    *(Note: `board_id` and `is_suggestion` are inferred common parameters for Multicollab comments based on the JS source's use of `getBoardIds`)*.\n\n## 6. Test Data Setup\n1.  **Users**:\n    - Create an Admin user (`admin_user`).\n    - Create a Subscriber user (`attacker_subscriber`).\n2.  **Content**:\n    - As `admin_user`, create a private post or a published post (ID `123`).\n    - Enable Multicollab collaboration on this post if the plugin settings require it.\n3.  **Plugin Configuration**: Ensure the plugin is active and \"Commenting\" is enabled in Multicollab settings.\n\n## 7. Expected Results\n- The server should respond with a `200 OK` and a JSON response indicating success (e.g., `{\"success\":true,\"data\":...}`).\n- The comment should be visible in the Multicollab collaboration sidebar when viewing the post as an Administrator.\n\n## 8. Verification Steps\n1.  **Database Check**: Query the `wp_multicollab_comments` table (if present) or `wp_comments` for the injected content:\n    - `wp db query \"SELECT * FROM wp_multicollab_comments WHERE comment_content LIKE '%Unauthorized%';\" --path=\u002Fvar\u002Fwww\u002Fhtml`\n2.  **CLI Verification**:\n    - `wp comment list --post_id=[TARGET_POST_ID]`\n3.  **UI Verification**: Navigate to the Post Edit screen for the target post as Admin and check the collaboration panel for the Subscriber's comment.\n\n## 9. Alternative Approaches\n- **Missing Parameters**: If `cf_add_comment` fails, try `mc_add_comment` (alternative naming convention observed in some versions).\n- **Suggestion Vector**: Try setting `is_suggestion=1` and providing `suggestion_data` to see if unauthorized suggestions can also be injected via the same missing check.\n- **Nonce Bypass**: If a valid nonce cannot be found, try the request without the `nonce` parameter to see if the plugin fails to verify it entirely.","The Multicollab plugin for WordPress is vulnerable to unauthorized modification of data because it fails to implement capability checks in its AJAX handlers, specifically the 'cf_add_comment' function. This allows any authenticated user with Subscriber-level access or higher to add collaboration comments or suggestions to arbitrary posts by providing the target post's ID.","\u002F\u002F From admin\u002Fassets\u002Fjs\u002Fcommenting-block-admin.js (v5.2)\n\u002F\u002F While the PHP source is not provided, the JS demonstrates the pattern of AJAX calls\n\u002F\u002F used by the plugin that lack sufficient server-side authorization checks.\n\nbody: new URLSearchParams({\n    action: \"cf_get_user\",\n    nonce: multicollab_general_nonce.nonce,\n}),\n\n\u002F\u002F The corresponding PHP AJAX handler (e.g., cf_add_comment) failed to check\n\u002F\u002F if the current user had permissions (current_user_can('edit_post', $post_id))\n\u002F\u002F before processing the comment for the provided post_id.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcommenting-feature\u002F5.2\u002Fadmin\u002Fassets\u002Fjs\u002Fcommenting-block-admin.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcommenting-feature\u002F5.3\u002Fadmin\u002Fassets\u002Fjs\u002Fcommenting-block-admin.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcommenting-feature\u002F5.2\u002Fadmin\u002Fassets\u002Fjs\u002Fcommenting-block-admin.js\t2025-12-15 07:25:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcommenting-feature\u002F5.3\u002Fadmin\u002Fassets\u002Fjs\u002Fcommenting-block-admin.js\t2026-04-30 07:36:38.000000000 +0000\n@@ -390,8 +390,8 @@\n \t\t\t\t\"Content-Type\": \"application\u002Fx-www-form-urlencoded\",\n \t\t\t},\n \t\t\tbody: new URLSearchParams({\n-\t\t\t\taction: \"cf_get_user\",\n-\t\t\t\tnonce: multicollab_general_nonce.nonce,\n+\t\t\t\taction: \"multicollab_get_user\",\n+\t\t\t\tnonce: multicollabBlockEditorAjax.nonce,\n \t\t\t}),\n \t\t})\n \t\t\t.then((response) => response.json())","To exploit this vulnerability, an attacker must first authenticate as a Subscriber-level user. Once logged in, the attacker extracts a valid nonce from the localized JavaScript variables (such as `multicollab_general_nonce.nonce` or `multicollab_vars.nonce`) visible in the page source of any editor-related page. The attacker then constructs a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to `cf_add_comment`. By including a target `post_id` (even for posts they do not own or have permission to edit) and the `comment_content`, the attacker can inject comments into the collaboration workflow of that post.","gemini-3-flash-preview","2026-05-20 17:36:02","2026-05-20 17:36:49",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","5.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcommenting-feature\u002Ftags\u002F5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcommenting-feature.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcommenting-feature\u002Ftags\u002F5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcommenting-feature.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcommenting-feature\u002Ftags"]