CVE-2025-26888 - Vulnerability Details

- WordPress WooCommerce Multilingual & Multicurrency plugin <= 5.3.8 - Broken Access Control vulnerability

Description

Missing Authorization vulnerability in Amir Helzer WooCommerce Multilingual & Multicurrency woocommerce-multilingual allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through <= 5.3.8.

Published: 2025-04-09

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WooCommerce Multilingual & Multicurrency plugin contains a missing authorization check that permits an attacker to alter the plugin’s configuration settings. Identified as CWE‑862, this vulnerability enables unauthorized modification of multilingual and multicurrency behavior, potentially disrupting site functionality and user experience. The description does not indicate data exfiltration or remote code execution. The likely attack vector is through the WordPress administrative interface, where an attacker with a compromised or insufficiently privileged account might exploit the incorrect access‑control enforcement; this inference is based on the reference to incorrectly configured access‑control security levels.

Affected Systems

Amir Helzer’s WooCommerce Multilingual & Multicurrency plugin for WordPress, version 5.3.8 and all earlier releases, is affected.

Risk and Exploitability

The CVSS score of 5.3 denotes moderate severity, while the EPSS score of less than 1 % indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been observed in widespread attacks. Exploitation would require access to the plugin’s configuration interface, likely under a user account that has insufficient privileges. Due to the moderate impact and low exploitation likelihood, urgent patching is still recommended to mitigate potential privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Amir Helzer

WooCommerce Multilingual & Multicurrency

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.3.8

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WooCommerce Multilingual & Multicurrency to the latest available version (>= 5.3.9) if a fix is provided by the vendor
Restrict WordPress user roles that can modify multilingual and multicurrency settings to only trusted administrators
If the plugin is not critical for your site, consider disabling or uninstalling it until a patch is released

Generated by OpenCVE AI on May 1, 2026 at 10:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-10529	Missing Authorization vulnerability in OnTheGoSystems WooCommerce Multilingual & Multicurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through 5.3.8.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00224.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/woocommerce-multilingual/vulnerability/wordpress-woocommerce-multilingual-multicurrency-plugin-5-3-8-broken-access-control-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in OnTheGoSystems WooCommerce Multilingual & Multicurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through 5.3.8.	Missing Authorization vulnerability in Amir Helzer WooCommerce Multilingual & Multicurrency woocommerce-multilingual allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through <= 5.3.8.
References	https://patchstack.com/database/wordpress/plugin/woocommerce-multilingual/vulnerability/wordpress-woocommerce-multilingual-multicurrency-plugin-5-3-8-broken-access-control-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/woocommerce-multilingual/vulnerability/wordpress-woocommerce-multilingual-multicurrency-plugin-5-3-8-broken-access-control-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Wed, 09 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 09 Apr 2025 19:45:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in OnTheGoSystems WooCommerce Multilingual & Multicurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through 5.3.8.
Title		WordPress WooCommerce Multilingual & Multicurrency plugin <= 5.3.8 - Broken Access Control vulnerability
Weaknesses		CWE-862
References		https://patchstack.com/database/wordpress/plugin/woocommerce-multilingual/vulnerability/wordpress-woocommerce-multilingual-multicurrency-plugin-5-3-8-broken-access-control-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-09T19:35:42.843Z

Updated: 2026-04-28T16:11:42.561Z

Reserved: 2025-02-17T11:50:29.986Z

Link: CVE-2025-26888

Vulnrichment

Updated: 2025-04-09T19:54:55.232Z

NVD

Status : Deferred

Published: 2025-04-09T20:15:26.607

Modified: 2026-06-17T09:02:33.210

Link: CVE-2025-26888

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T10:45:05Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object