Impact
The MultiLoca plugin in WordPress contains a vulnerability that allows a subscriber-level user to gain administrator privileges. This flaw, identified as CWE‑266, arises from insufficient access control, enabling a legitimate user to execute actions reserved for higher‑privileged accounts and potentially compromise the entire site.
Affected Systems
All installations of the Techspawn MultiLoca plugin version 4.2.15 and earlier running on WordPress are affected. The vulnerability specifically targets WordPress sites that have this plugin active and have subscribers or other authenticated users.
Risk and Exploitability
The CVSS score of 7.6 indicates a high severity, and although the EPSS score is not available, the lack of listing in CISA KEV suggests no documented exploitation at this time. Based on the description, it is inferred that the attack vector requires an authenticated subscriber, and the vulnerability could be exploited remotely via the web interface if the user can create a subscriber account or already has such access. The resulting privilege escalation would enable the attacker to modify site settings, install or delete plugins, and access sensitive data.
OpenCVE Enrichment