CVE-2025-62874
Lifecycle Timeline
2Description
Missing Authorization vulnerability in Alexander AnyComment anycomment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyComment: from n/a through <= 0.3.6.
Analysis
Missing authorization in the Alexander AnyComment WordPress plugin through version 0.3.6 allows unauthenticated attackers to exploit incorrectly configured access control security levels, resulting in unauthorized access to protected functionality. The vulnerability stems from broken access control mechanisms (CWE-862) rather than authentication bypass, meaning authenticated sessions may also be affected depending on their privilege level. With an EPSS score of 0.02% and no reported active exploitation, this represents a low-probability real-world risk despite the critical nature of access control flaws.
Technical Context
AnyComment is a WordPress plugin that manages user comments and community engagement. The vulnerability exploits improper implementation of access control security levels (CWE-862: Missing Authorization), a classic authorization flaw where the application fails to enforce proper permission checks before allowing users to access or modify protected resources. WordPress plugins typically implement role-based access control (RBAC) through capability checks; this issue indicates those checks are either missing, incorrectly configured, or applied inconsistently across certain endpoints or functions. The affected plugin versions through 0.3.6 contain flawed access control logic that permits unauthorized resource access based on misconfigured security level settings.
Affected Products
Alexander AnyComment WordPress plugin versions from an unspecified baseline through version 0.3.6 are affected. The plugin is distributed through the WordPress plugin repository. Exact CPE string is not provided in available data, but the affected product is identified as WordPress Plugin: anycomment, versions up to and including 0.3.6. Refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/anycomment/vulnerability/wordpress-anycomment-plugin-0-3-6-broken-access-control-vulnerability for detailed product information and advisory details.
Remediation
Update the AnyComment plugin to a version greater than 0.3.6 immediately. Check the WordPress plugin repository or the plugin developer's official release page for the latest patched version. If automatic updates are not configured, manually download and install the latest version from the WordPress.org plugin directory. Additionally, review and audit all role-based access control configurations within the plugin settings to ensure security levels are correctly assigned to user roles, especially for any custom roles or capability assignments. Administrators should restrict plugin access to trusted users only pending a full version update. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/anycomment for further remediation guidance from the reporting organization.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today