Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable WordPress endpoint (AV:N), straightforward request (AC:L), requires authenticated Subscriber account (PR:L), no admin interaction (UI:N); role escalation yields full site control (C:H/I:H/A:H).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Privilege Escalation in Falang multilanguage <= 1.4.2 versions.
AnalysisAI
Privilege escalation in the Falang Multilanguage WordPress plugin (versions <= 1.4.2) allows authenticated low-privileged users (Subscriber role) to elevate their permissions on affected sites. The flaw is rooted in improper privilege management (CWE-266) and carries a CVSS 3.1 score of 8.8 with high confidentiality, integrity, and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) a WordPress site running the Falang Multilanguage plugin at version 1.4.2 or earlier, and (2) a valid authenticated session at the Subscriber role or higher (per CVSS PR:L) - typically obtainable on sites with open user registration enabled in WordPress (Settings > General > 'Anyone can register'). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 8.8) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with full CIA impact - consistent with a Subscriber-to-Admin escalation on a WordPress site. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free Subscriber account on a WordPress site running Falang Multilanguage <= 1.4.2 (or compromises an existing low-privilege account via credential stuffing). They then send a crafted authenticated request to a Falang plugin endpoint that fails to enforce capability checks, escalating their account to Administrator and gaining full control of the site, including the ability to install malicious plugins or pivot to the underlying server. … |
| Remediation | Patch available per vendor advisory - administrators should upgrade Falang Multilanguage to the latest version above 1.4.2 as published on WordPress.org, following guidance in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/falang/vulnerability/wordpress-falang-multilanguage-plugin-1-4-2-privilege-escalation-vulnerability (an exact fixed version is not independently confirmed in the provided data, so verify on WordPress.org before deploying). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress installations for Falang Multilanguage plugin; document version and deployment scope; disable plugin on non-critical sites. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37641