{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24598", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:12.343Z", "datePublished": "2026-01-23T14:29:02.568Z", "dateUpdated": "2026-04-28T16:14:50.338Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "multilanguage", "product": "Multilanguage by BestWebSoft", "vendor": "bestwebsoft", "versions": [{"lessThanOrEqual": "1.5.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:51.059Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in bestwebsoft Multilanguage by BestWebSoft multilanguage allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Multilanguage by BestWebSoft: from n/a through <= 1.5.2.</p>"}], "value": "Missing Authorization vulnerability in bestwebsoft Multilanguage by BestWebSoft multilanguage allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Multilanguage by BestWebSoft: from n/a through <= 1.5.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.338Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/multilanguage/vulnerability/wordpress-multilanguage-by-bestwebsoft-plugin-1-5-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Multilanguage by BestWebSoft plugin <= 1.5.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T20:43:13.920575Z", "id": "CVE-2026-24598", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:38:54.255Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24598", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T20:43:13.920575Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T20:43:05.535Z"}}], "cna": {"title": "WordPress Multilanguage by BestWebSoft plugin <= 1.5.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "bestwebsoft", "product": "Multilanguage by BestWebSoft", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.5.2"}], "packageName": "multilanguage", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:51.059Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/multilanguage/vulnerability/wordpress-multilanguage-by-bestwebsoft-plugin-1-5-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in bestwebsoft Multilanguage by BestWebSoft multilanguage allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Multilanguage by BestWebSoft: from n/a through <= 1.5.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in bestwebsoft Multilanguage by BestWebSoft multilanguage allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Multilanguage by BestWebSoft: from n/a through <= 1.5.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.866Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24598", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:38:54.255Z", "dateReserved": "2026-01-23T12:32:12.343Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:02.568Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in bestwebsoft Multilanguage by BestWebSoft multilanguage allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Multilanguage by BestWebSoft: from n/a through <= 1.5.2."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en bestwebsoft Multilanguage por BestWebSoft multilanguage permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Multilanguage por BestWebSoft: desde n/a hasta &lt;= 1.5.2."}], "id": "CVE-2026-24598", "lastModified": "2026-04-28T15:16:18.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:17.953", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/multilanguage/vulnerability/wordpress-multilanguage-by-bestwebsoft-plugin-1-5-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:35:05.560157+00:00", "value": {"mitigation_remediation": ["Update the Multilanguage by BestWebSoft plugin to version 1.5.3 or newer. ", "Restrict the plugin\u2019s administrative capabilities to users with the Administrator role, or remove lower\u2011privilege roles that have been granted access. ", "Review the WordPress user roles and permissions to ensure no unnecessary privileges are granted, and consider installing a role\u2011management plugin to enforce least privilege."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access to Multilanguage plugin"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress plugin Multilanguage by BestWebSoft, specifically versions from the earliest releases through 1.5.2. WordPress sites that have not updated this plugin are at risk. The vulnerability is version\u2011agnostic within that range and does not depend on the underlying operating system or hosting environment.", "description_and_impact": "It is a missing authorization vulnerability that exploits incorrectly configured access control security levels within the Multilanguage by BestWebSoft plugin. The flaw enables a user who should not have permission to modify or view the plugin\u2019s configuration to do so, effectively bypassing the intended role restrictions. The impact is unauthorized access to plugin settings, which could let an attacker alter language mappings or inject content without the site owner\u2019s knowledge.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score is less than 1%, suggesting a very low likelihood of exploitation in the wild. The vendor has not listed this vulnerability in the CISA KEV catalog. Attackers would need access to a WordPress user account with limited permissions or the ability to create such accounts, and then exploit the misconfigured ACL to reach the plugin settings. The absence of a known exploit and the low EPSS reduce immediate risk, but the potential for content manipulation warrants prompt remediation."}}}}, "created": "2026-01-26T11:53:27.753838+00:00", "updated": "2026-04-16T01:45:20.650562+00:00", "vendors": ["bestwebsoft", "bestwebsoft$PRODUCT$multilanguage", "wordpress", "wordpress$PRODUCT$wordpress"]}