CVE-2025-24613

Vulnerability

The FV Thoughtful Comments plugin for WordPress versions from n/a through 0.3.5 contains a missing authorization vulnerability. The plugin's comment moderation features, intended for users with specific permissions, can be accessed without proper capability checks. Affected versions are all releases up to and including 0.3.5 [1].

Exploitation

An authenticated WordPress user with any role, including low-privileged roles such as subscriber, can exploit this vulnerability. The attacker simply navigates to the front-end comment moderation interface, as the plugin fails to verify the user's authorization before granting access to administrative actions. No special network position or user interaction beyond being logged in is required [1].

Impact

Successful exploitation allows the attacker to perform comment moderation actions, such as approving, unapproving, or deleting comments. The attacker gains unauthorized access to functionality that should be restricted to higher-privileged users like editors or administrators. This can lead to unauthorized changes in comment visibility and disruption to site operations [1].

Mitigation

The vulnerability is fixed in version 0.4.1 of the plugin, released on 2025-03-14. Users should update to this version immediately. There are no known workarounds for earlier versions [1].