CVE-2024-0829: CWE-862 Missing Authorization in nmedia Comments Extra Fields For Post,Pages and CPT
The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings.
AI Analysis
Technical Summary
CVE-2024-0829 is a missing authorization vulnerability (CWE-862) in the Comments Extra Fields For Post,Pages and CPT WordPress plugin affecting all versions up to and including 5.0. The issue arises from missing or incorrect capability checks on multiple AJAX actions, enabling authenticated users with subscriber or higher privileges to invoke these actions improperly. This can lead to unauthorized modification of comment form fields and plugin settings. The vulnerability has a CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), reflecting a network attack vector with low complexity but requiring low privileges and no user interaction, impacting integrity but not confidentiality or availability.
Potential Impact
An authenticated attacker with subscriber-level access or higher can exploit this vulnerability to modify comment form fields and update plugin settings without proper authorization. This impacts the integrity of the plugin's configuration and comment form data. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles and permissions to trusted users only and monitor for unusual changes to comment form fields or plugin settings. Avoid granting subscriber or higher privileges to untrusted users. Follow updates from the plugin vendor for any forthcoming patches or official fixes.
CVE-2024-0829: CWE-862 Missing Authorization in nmedia Comments Extra Fields For Post,Pages and CPT
Description
The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-0829 is a missing authorization vulnerability (CWE-862) in the Comments Extra Fields For Post,Pages and CPT WordPress plugin affecting all versions up to and including 5.0. The issue arises from missing or incorrect capability checks on multiple AJAX actions, enabling authenticated users with subscriber or higher privileges to invoke these actions improperly. This can lead to unauthorized modification of comment form fields and plugin settings. The vulnerability has a CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), reflecting a network attack vector with low complexity but requiring low privileges and no user interaction, impacting integrity but not confidentiality or availability.
Potential Impact
An authenticated attacker with subscriber-level access or higher can exploit this vulnerability to modify comment form fields and update plugin settings without proper authorization. This impacts the integrity of the plugin's configuration and comment form data. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles and permissions to trusted users only and monitor for unusual changes to comment form fields or plugin settings. Avoid granting subscriber or higher privileges to untrusted users. Follow updates from the plugin vendor for any forthcoming patches or official fixes.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-01-23T17:41:43.438Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6de6b7ef31ef0b5905b0
Added to database: 2/25/2026, 9:47:18 PM
Last enriched: 4/9/2026, 5:40:18 AM
Last updated: 4/11/2026, 8:42:08 PM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.