CVE-2026-39546
Deferred Deferred - Pending Action
Subscriber Privilege Escalation in MultiLoca

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Subscriber Privilege Escalation in MultiLoca <= 4.2.15 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-39546
EUVD
EUVD-2026-37674
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack multiloca to 4.2.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress MultiLoca Plugin, versions 4.2.15 and below, contains a high-priority Privilege Escalation vulnerability (CVE-2026-39546). This flaw allows attackers who have low-privilege accounts, such as Subscriber roles, to escalate their access rights to higher privileges within the website.

This means an attacker could potentially gain full control over the website by exploiting this vulnerability.

The issue is related to Identification and Authentication Failures, classified under OWASP Top 10 A7.

Impact Analysis

If exploited, this vulnerability can allow an attacker with a low-privilege account to escalate their privileges and gain full control of the affected website.

This can lead to unauthorized access, modification, or deletion of website data, disruption of services, and potential compromise of sensitive information.

Because the vulnerability is considered highly dangerous and has a risk of mass exploitation, many websites using the vulnerable plugin could be targeted simultaneously.

Mitigation Strategies

To mitigate the CVE-2026-39546 vulnerability, you should immediately update the WordPress MultiLoca Plugin to version 4.2.16 or later.

Alternatively, you can apply the mitigation rule provided by Patchstack if updating is not immediately possible.

It is also recommended to seek assistance from your hosting provider or developer to ensure proper protection against exploitation.

Compliance Impact

The vulnerability allows attackers with low-privilege accounts to escalate their privileges and potentially gain full control of the website. This kind of privilege escalation can lead to unauthorized access to sensitive data, which may result in violations of data protection regulations such as GDPR and HIPAA.

Since the issue is classified under OWASP Top 10 A7 (Identification and Authentication Failures), it indicates a failure in access control mechanisms, which is critical for compliance with standards that require strict user authentication and authorization controls.

Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of personal or protected health information, potentially leading to non-compliance with regulations like GDPR and HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39546. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart