The reported flaw resides in the cf_add_comment function of the Multicollab plugin for WordPress, where an integrity check that verifies a user’s capability is omitted. Consequently, any user who can authenticate to the WordPress site—starting at the Subscriber role or higher—can craft a request that inserts a comment into any collaboration. The injected comment is accepted without verification of ownership or permission, enabling unintended data modification within the collaborative environment. This issue does not give an attacker the ability to take over the site or read arbitrary data, but it exposes the collaborative content to manipulation by lower privileged members.

The vulnerability affects all installations of Multicollab: Content Team Collaboration and Editorial Workflow version 5.2 and earlier. Users of the plugin on any WordPress site, regardless of site size or domain, are potentially impacted as long as a Subscriber or higher role is present and can authenticate.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score is not available, suggesting that the exploitation probability has not been quantified yet. The vulnerability is not listed in CISA’s KEV catalog. Attackers require only authenticated access to the site, which is widely available in many WordPress deployments. Because the flaw is a missing control that permits comment creation, the attack path is straightforward: an individual with a subscriber‑level or higher account can submit a specially crafted request via the plugin’s interface or API, resulting in an unauthorized comment. Given the lack of restrictions on the content of the comment, this could be used to spread misinformation or disrupt collaboration workflows.