CVE-2025-4202: 
WordPress Analyse et atténuation des vulnérabilités

CVE-2025-4202 is a missing authorization vulnerability in the Multicollab: Content Team Collaboration and Editorial Workflow plugin for WordPress. Due to a missing capability check on the cf_add_comment function, authenticated attackers with Subscriber-level access or above can add comments to arbitrary collaborations they should not have access to. All versions up to and including 5.2 are affected. It carries a CVSS v3.1 base score of 4.3 (Medium) and was published on May 16, 2026 (GitHub Advisory, Wordfence).

The root cause is CWE-862 (Missing Authorization): the cf_add_comment function in the plugin's class-commenting-block-admin.php does not verify whether the calling user has the appropriate capability to interact with a given collaboration before allowing a comment to be added. An attacker only needs a valid WordPress account at Subscriber level or higher to exploit this over the network with low complexity and no user interaction required. The vulnerable code path is visible in the plugin's source at version 4.8.1 (GitHub Advisory, Plugin Source).

Successful exploitation allows any authenticated WordPress user — including those with minimal Subscriber-level privileges — to inject comments into arbitrary editorial collaborations managed by the Multicollab plugin, bypassing intended access controls. The impact is limited to integrity (unauthorized data modification); there is no confidentiality or availability impact. This could disrupt editorial workflows, introduce misleading or malicious content into collaboration threads, and undermine trust in the content review process (GitHub Advisory, Wordfence).

Users should update the Multicollab plugin to a version newer than 5.2 as soon as a patched release is available; the fix was introduced in the changeset tracked at the WordPress plugin repository (Plugin Changeset). As an interim workaround, site administrators should restrict Subscriber-level user registration if not required, and implement additional server-side access controls or a Web Application Firewall (WAF) rule to block unauthorized calls to the cf_add_comment function. Monitoring WordPress user roles and limiting plugin access to trusted contributors can further reduce exposure (Wordfence, GitHub Advisory).