CVE-2026-24598

CVE-2026-24598 is a missing authorization vulnerability in the Multilanguage plugin by BestWebSoft for WordPress, affecting versions up to and including 1.5.2. The plugin lacks proper access control checks, allowing users without sufficient privileges to perform actions that should be restricted to higher-level roles. This is a classic broken access control issue where the plugin fails to verify nonce tokens or authorization before granting access to sensitive functions [1].

Exploitation does not require authentication at a privileged level; an attacker with low-level access (such as a subscriber) can potentially trigger privileged actions. The attack vector is over the network, and the complexity is low, requiring no special user interaction beyond the attacker being able to send crafted requests to the targeted WordPress site. Due to the widespread use of this plugin, this vulnerability is considered a candidate for mass exploitation campaigns targeting unpatched sites [1].

A successful exploitation allows an unprivileged user to bypass access controls, potentially leading to unauthorized modification of plugin settings or other restricted operations. The impact is limited in terms of confidentiality and integrity, as reflected by the CVSS score of 4.3 (Medium), but the low barrier to exploitation means many installations are at risk [1].

As a mitigation, users should update the Multilanguage plugin to the latest patched version immediately. If updating is not possible, it is advisable to restrict access to the plugin's functions via a web application firewall or consult with a hosting provider. No workaround details have been published, but prompt patching is the recommended course of action [1].