The Quote Comments plugin for WordPress suffers from a Missing Authorization vulnerability (CWE-862) in the quotecomments_add_admin function in all versions up to 3.0.0. This allows authenticated users with low privileges (Subscriber or above) to update arbitrary plugin options by manipulating the 'action' parameter, due to lack of proper authorization checks. The CVSS 3.1 base score is 4.3 (medium), reflecting low impact on confidentiality and availability but some impact on integrity. No patch or vendor advisory is currently provided.

An attacker with at least Subscriber-level access can modify plugin options without proper authorization, potentially altering plugin behavior or settings. There is no direct impact on confidentiality or availability reported. The integrity of plugin configuration is affected, which could lead to further security or functionality issues depending on the options changed.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Subscriber-level access to trusted users only and monitor for unusual plugin configuration changes. Avoid granting unnecessary privileges to low-level authenticated users.