Description
Subscriber Privilege Escalation in MultiLoca <= 4.2.15 versions.
Published: 2026-06-17
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MultiLoca plugin in WordPress contains a vulnerability that allows a subscriber-level user to gain administrator privileges. This flaw, identified as CWE‑266, arises from insufficient access control, enabling a legitimate user to execute actions reserved for higher‑privileged accounts and potentially compromise the entire site.

Affected Systems

All installations of the Techspawn MultiLoca plugin version 4.2.15 and earlier running on WordPress are affected. The vulnerability specifically targets WordPress sites that have this plugin active and have subscribers or other authenticated users.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity, and although the EPSS score is not available, the lack of listing in CISA KEV suggests no documented exploitation at this time. Based on the description, it is inferred that the attack vector requires an authenticated subscriber, and the vulnerability could be exploited remotely via the web interface if the user can create a subscriber account or already has such access. The resulting privilege escalation would enable the attacker to modify site settings, install or delete plugins, and access sensitive data.

Generated by OpenCVE AI on June 18, 2026 at 12:19 UTC.

Remediation

Vendor Solution

Update the WordPress MultiLoca Plugin to the latest available version (at least 4.2.16).


OpenCVE Recommended Actions

  • Update the WordPress MultiLoca Plugin to the latest version (4.2.16 or newer).
  • Remove any unnecessary subscriber accounts to limit potential exploit vectors.
  • Review and correct user role assignments so that only trusted accounts hold administrator privileges.

Generated by OpenCVE AI on June 18, 2026 at 12:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Techspawn
Techspawn multiloca
Wordpress
Wordpress wordpress
Vendors & Products Techspawn
Techspawn multiloca
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Privilege Escalation in MultiLoca <= 4.2.15 versions.
Title WordPress MultiLoca plugin <= 4.2.15 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}


Subscriptions

Techspawn Multiloca
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:36:14.140Z

Reserved: 2026-04-07T10:48:21.621Z

Link: CVE-2026-39546

cve-icon Vulnrichment

Updated: 2026-06-17T12:36:10.394Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:30:04Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment