It is a missing authorization vulnerability that exploits incorrectly configured access control security levels within the Multilanguage by BestWebSoft plugin. The flaw enables a user who should not have permission to modify or view the plugin’s configuration to do so, effectively bypassing the intended role restrictions. The impact is unauthorized access to plugin settings, which could let an attacker alter language mappings or inject content without the site owner’s knowledge.

The affected product is the WordPress plugin Multilanguage by BestWebSoft, specifically versions from the earliest releases through 1.5.2. WordPress sites that have not updated this plugin are at risk. The vulnerability is version‑agnostic within that range and does not depend on the underlying operating system or hosting environment.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score is less than 1%, suggesting a very low likelihood of exploitation in the wild. The vendor has not listed this vulnerability in the CISA KEV catalog. Attackers would need access to a WordPress user account with limited permissions or the ability to create such accounts, and then exploit the misconfigured ACL to reach the plugin settings. The absence of a known exploit and the low EPSS reduce immediate risk, but the potential for content manipulation warrants prompt remediation.