CVE-2025-4202 MEDIUM

CVE-2025-4202: Multicollab: Content Team Collaboration and Editorial Workflow <= 5.2 - Missing Authorization to Authenticated (Subscriber+) Collaboration Comment

Vendor Multicollab
Product Multicollab: Content Team Collaboration and Editorial Workflow
Weakness CWE-862 · Missing authorization
Published May 16, 2026
Last update May 18, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Multicollab: Content Team Collaboration and Editorial Workflow plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf_add_comment' function in all versions up to, and including, 5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add comments to arbitrary collaborations.

Explanation of Vulnerability in Simple Terms

02Summary

Multicollab versions 5.2 and earlier lack proper authorization checks, allowing authenticated users to modify content they should not have access to. An attacker with low-level site access can alter editorial workflows or collaboration settings without proper permission validation. The vulnerability affects the core collaboration features of the plugin.

What an attacker can do

03Attacker Capabilities

Modify content or collaboration settings without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can alter editorial workflows, collaboration data, or content status, compromising content integrity.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the site (e.g., contributor or subscriber role).

Key dates

06Disclosure timeline

May 16, 2026 CVE published
May 18, 2026 Record updated