CVE-2022-38461 MEDIUM

CVE-2022-38461: WordPress WPML Multilingual CMS premium plugin <= 4.5.10 - Broken Access Control vulnerability

Vendor Onthegosystems Ltd.
Product WPML Multilingual CMS (WordPress plugin)
Weakness CWE-264
Published November 17, 2022
Last update April 28, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with a subscriber or higher user role to change plugin settings (selected language for legacy widgets, the default behavior for media content).

Key dates

02Disclosure timeline

November 17, 2022 CVE published
April 28, 2026 Record updated