CVE-2025-14370
Unknown Unknown - Not Provided
Missing Authorization in WordPress Quote Comments Plugin Allows Option Modification

Publication date: 2026-01-07

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecomments_add_admin function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options via the 'action' parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14370
EUVD
EUVD-2026-1293
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor quote_comments to 3.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Quote Comments WordPress plugin (up to version 3.0.0) is a Missing Authorization issue. It occurs because the function quotecomments_add_admin lacks proper authorization checks. This allows authenticated users with Subscriber-level access or higher to update arbitrary plugin options by manipulating the 'action' parameter, potentially changing plugin behavior without proper permissions. [1]

Impact Analysis

This vulnerability allows attackers with low-level authenticated access (Subscriber or above) to modify plugin options arbitrarily. This could lead to unauthorized changes in how the plugin behaves, potentially affecting site functionality or security settings controlled by the plugin, thereby compromising the integrity of the WordPress site. [1]

Detection Guidance

You can detect this vulnerability by checking if the Quote Comments plugin version 3.0.0 or earlier is installed on your WordPress site. Since the vulnerability involves missing authorization checks in the quotecomments_add_admin function allowing Subscriber-level users to update plugin options via the 'action' parameter, you can look for unusual POST requests to the plugin's admin AJAX endpoints that include the 'action' parameter modifying plugin options. For example, monitoring HTTP POST requests to URLs like '/wp-admin/admin-ajax.php' with parameters related to quote comments plugin actions. Specific commands might include using curl to test unauthorized option updates or using WordPress CLI to check plugin versions: 1) Check plugin version via WP-CLI: `wp plugin list | grep quote-comments` 2) Monitor HTTP requests with tools like tcpdump or Wireshark filtering for POST requests to admin-ajax.php 3) Use curl to simulate a Subscriber-level user attempting to update plugin options via the 'action' parameter. However, no exact commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Quote Comments plugin to a version later than 3.0.0 where the missing authorization checks are fixed. If an update is not yet available, restrict Subscriber-level users from accessing plugin option update functionalities, or disable the plugin temporarily. Additionally, monitor and restrict suspicious POST requests that attempt to modify plugin options via the 'action' parameter. Applying standard WordPress security best practices such as limiting user privileges and monitoring admin actions is also recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart