Improper access control in WPML Multilingual CMS

#VU69682 Improper access control in WPML Multilingual CMS

Published: 2022-11-29

Vulnerability identifier: #VU69682

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-38461

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
WPML Multilingual CMS
Web applications / Modules and components for CMS

Vendor: OnTheGoSystems

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and change plugin settings (selected language for legacy widgets, the default behavior for media content).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

WPML Multilingual CMS: 4.5.10

External links
http://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-plugin-4-5-10-broken-access-control-vulnerability?_s_id=cve

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in WPML Multilingual CMS premium plugin for WordPress