WordPress Plugin Vulnerabilities

WPML < 4.5.11 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating the selected language for legacy widgets and default behaviour for media content settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
sitepress-multilingual-cms
Fixed in 4.5.11

References

CVE
CVE-2022-38461

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
d4007060-aea1-4e69-bb3c-360cf2ee6e33

Timeline

Publicly Published
2022-11-09 (about 3 years ago)
Added
2022-11-17 (about 3 years ago)
Last Updated
2022-11-17 (about 3 years ago)

Other

Published
Title
Published
2025-04-04
Title
Ai Image Alt Text Generator for WP < 1.1.2 - Missing Authorization
Published
2024-12-14
Title
Leader <= 2.6.1 - Missing Authorization
Published
2022-11-01
Title
WatchTowerHQ < 3.6.16 - Unauthenticated Arbitrary File Access
Published
2025-12-18
Title
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program < 2.9.7.2 - Missing Authorization to Sensitive Information Exposure
Published
2024-08-27
Title
Permalink Manager Lite < 2.4.4.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure