[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkwqXPnx-7HxFjht7DADT-5UYsFGZBm1Q2P0HqH21OZs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-24598","multilanguage-by-bestwebsoft-missing-authorization","Multilanguage by BestWebSoft \u003C= 1.5.2 - Missing Authorization","The Multilanguage by BestWebSoft plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.5.2. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","multilanguage",null,"\u003C=1.5.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-15 00:00:00","2026-01-27 19:25:09",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd411982d-4ed3-4dd5-9a18-111c15aa641b?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-24598 (Multilanguage by BestWebSoft)\n\n## 1. Vulnerability Summary\nThe **Multilanguage by BestWebSoft** plugin (\u003C= 1.5.2) contains a missing authorization vulnerability. Specifically, one or more AJAX handlers registered via `wp_ajax_` fail to perform a capability check (e.g., `current_user_can( 'manage_options' )`). While these handlers may verify a nonce for CSRF protection, the nonces are often exposed to users with Contributor-level access (who can access the WordPress admin dashboard and post editor), allowing them to perform administrative actions such as modifying plugin settings or language configurations.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action (Inferred):** Likely `mltlngg_save_settings`, `mltlngg_add_language`, or `mltlngg_update_order`. (The agent must verify the exact action name).\n* **Payload Parameter:** `action`, `nonce`, and setting-specific parameters (e.g., `mltlngg_options[...]`).\n* **Authentication:** Contributor-level account (`PR:L`).\n* **Preconditions:** The plugin must be active. A Contributor account must be able to access a page where the plugin localizes its AJAX nonce (typically the Post Editor).\n\n## 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers AJAX actions in its main class or an includes file (likely `includes\u002Fclass-mltlngg-admin.php` or `mltlngg.php`).\n ```php\n \u002F\u002F Inferred Registration\n add_action( 'wp_ajax_mltlngg_save_settings', array( $this, 'mltlngg_save_settings' ) );\n ```\n2. **Entry Point:** An authenticated user sends a POST request to `admin-ajax.php` with `action=mltlngg_save_settings`.\n3. **Vulnerable Callback:** The callback function (e.g., `mltlngg_save_settings`) is invoked.\n ```php\n public function mltlngg_save_settings() {\n \u002F\u002F May check nonce:\n check_ajax_referer( 'mltlngg_nonce_action', 'nonce' );\n \n \u002F\u002F MISSING: current_user_can( 'manage_options' ) check!\n \n \u002F\u002F Processing:\n if ( isset( $_POST['mltlngg_settings'] ) ) {\n update_option( 'mltlngg_settings', $_POST['mltlngg_settings'] );\n }\n wp_die();\n }\n ```\n4. **Sink:** `update_option()` or similar database modification functions.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely uses `wp_localize_script` to provide nonces to its admin scripts. Since Contributors can access the Post Editor, if the plugin enqueues scripts there, the nonce is leaked.\n\n1. **Identify Action & Nonce Key:**\n Grep the plugin for `wp_localize_script` to find the object name.\n ```bash\n grep -rn \"wp_localize_script\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fmultilanguage\u002F\n ```\n *Likely Object:* `mltlngg_ajax_options` or `mltlngg_vars`.\n *Likely Key:* `nonce` or `mltlngg_nonce`.\n\n2. **Access Post Editor:** \n Login as a Contributor and navigate to `wp-admin\u002Fpost-new.php`.\n\n3. **Extract via Browser Eval:**\n ```javascript\n \u002F\u002F Example (Agent must verify exact variable name)\n browser_eval(\"window.mltlngg_vars?.nonce || window.mltlngg_ajax_options?.nonce\")\n ```\n\n## 5. Exploitation Strategy\n1. **Discovery:** Find the vulnerable AJAX action that lacks a capability check.\n ```bash\n grep -rn \"add_action( 'wp_ajax_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fmultilanguage\u002F\n ```\n For each found function, check if it calls `current_user_can`. Identify one that doesn't.\n2. **Preparation:** Create a Contributor user.\n3. **Nonce Extraction:** Use `browser_navigate` to `wp-admin\u002Fpost-new.php` as the Contributor and extract the nonce.\n4. **Execution:** Use `http_request` to call the vulnerable action.\n * **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n * **Method:** POST\n * **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`, `Cookie: [Contributor Cookies]`\n * **Body:** `action=mltlngg_save_settings&nonce=[NONCE]&mltlngg_options[default_language]=fr_FR` (Example payload to change default language).\n\n## 6. Test Data Setup\n1. **Plugin:** Install and activate Multilanguage by BestWebSoft \u003C= 1.5.2.\n2. **Languages:** Ensure at least two languages are configured (e.g., English and French) so settings can be meaningfully changed.\n3. **User:** Create a user with the `contributor` role.\n ```bash\n wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n ```\n\n## 7. Expected Results\n* The `admin-ajax.php` request should return a `200 OK` or a success JSON response (e.g., `{\"success\":true}`).\n* The plugin's configuration in the database should be updated despite the user only having Contributor permissions.\n\n## 8. Verification Steps\n1. **Check Options via CLI:**\n ```bash\n wp option get mltlngg_options\n ```\n Verify that the values match the payload sent in the exploit.\n2. **Confirm Lack of Check:**\n Manually inspect the code of the targeted function to confirm the absence of `current_user_can()`.\n\n## 9. Alternative Approaches\n* **Target Different Actions:** If `save_settings` is protected, look for `mltlngg_update_order` (language priority), `mltlngg_add_language`, or `mltlngg_delete_language`.\n* **Identify Leaked Nonces in Source:** If the browser eval fails, use `http_request` to GET `wp-admin\u002Fpost-new.php` and use regex to find the nonce in the HTML source.\n* **Settings Injection:** Attempt to inject malicious scripts into settings fields (if any are echoed without escaping) to escalate from Missing Authorization to Stored XSS.","The Multilanguage by BestWebSoft plugin for WordPress is vulnerable to unauthorized settings modification due to missing capability checks on its AJAX handlers. Authenticated attackers with Contributor-level access can exploit this by retrieving a nonce exposed in the admin dashboard and performing administrative actions such as changing plugin configurations or language settings.","\u002F\u002F In includes\u002Fclass-mltlngg-admin.php (inferred from research plan)\n\npublic function mltlngg_save_settings() {\n \u002F\u002F Nonce check exists for CSRF protection, but is accessible to Contributors\n check_ajax_referer( 'mltlngg_nonce_action', 'nonce' );\n \n \u002F\u002F MISSING: current_user_can( 'manage_options' ) or equivalent authorization check\n \n if ( isset( $_POST['mltlngg_settings'] ) ) {\n update_option( 'mltlngg_settings', $_POST['mltlngg_settings'] );\n }\n wp_die();\n}\n\n---\n\n\u002F\u002F Action Registration (inferred)\nadd_action( 'wp_ajax_mltlngg_save_settings', array( $this, 'mltlngg_save_settings' ) );","--- a\u002Fincludes\u002Fclass-mltlngg-admin.php\n+++ b\u002Fincludes\u002Fclass-mltlngg-admin.php\n@@ -100,6 +100,10 @@\n public function mltlngg_save_settings() {\n check_ajax_referer( 'mltlngg_nonce_action', 'nonce' );\n \n+ if ( ! current_user_can( 'manage_options' ) ) {\n+ wp_die( __( 'You do not have sufficient permissions to access this page.' ) );\n+ }\n+\n if ( isset( $_POST['mltlngg_settings'] ) ) {\n update_option( 'mltlngg_settings', $_POST['mltlngg_settings'] );\n }","1. Authentication: Log in to the WordPress site as a user with at least Contributor permissions.\n2. Nonce Extraction: Navigate to a page accessible to Contributors (such as the Post Editor at \u002Fwp-admin\u002Fpost-new.php). Inspect the page source or evaluate global JavaScript variables (e.g., mltlngg_vars.nonce) to retrieve the valid nonce for the plugin's AJAX actions.\n3. Request Construction: Prepare a POST request to \u002Fwp-admin\u002Fadmin-ajax.php.\n4. Payload Shape: Set the 'action' parameter to 'mltlngg_save_settings', the 'nonce' parameter to the extracted value, and include the 'mltlngg_settings' array with malicious or modified configuration values (e.g., changing the default language or disabling translation features).\n5. Execution: Send the request. The server will process the setting update because the AJAX handler only verifies the nonce and does not check if the user has administrative privileges.","gemini-3-flash-preview","2026-05-05 09:27:48","2026-05-05 09:28:12",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmultilanguage\u002Ftags"]