How is CVE-2026-39546 exploited?

Network reachability (required): The attacker must reach the WordPress service over the network; no local or physical access is required. Authentication (required): A low-privilege account is sufficient; subscriber-level WordPress credentials are enough to trigger the escalation. Victim interaction (not-required): No user action or social-engineering step is needed; the attacker operates entirely on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental factors.

What is the impact of CVE-2026-39546?

A successful attacker gains elevated WordPress privileges beyond their subscriber role, unlocking access to restricted administrative or editorial functions. Confidentiality impact is high: the attacker can read protected site content, configuration data, and potentially stored credentials or user records accessible to higher-privilege roles. Integrity impact is partial: the attacker can modify persisted WordPress data such as posts, settings, or user metadata within the bounds of the escalated role. Availability impact is partial: the attacker can disrupt normal site operation, for example by deactivating plugins or altering settings in ways that degrade functionality.

Back to search

HIGHCVE-2026-39546Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-39546: WordPress MultiLoca plugin <= 4.2.15 - Privilege Escalation vulnerability

Q: What is CVE-2026-39546?

This is a privilege escalation vulnerability in the WordPress MultiLoca plugin, versions 4.2.15 and earlier, developed by Techspawn. It is reachable over the network and requires only a low-privilege account (subscriber-level) to exploit, with no victim interaction needed. A successful attacker gains elevated permissions within the WordPress installation, enabling access to protected content, limited data modification, and partial disruption of site functionality. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39546 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Techspawn ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version becomes available.

Subscriber Privilege Escalation in MultiLoca <= 4.2.15 versions.

CVSS v3.1: 7.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in the WordPress MultiLoca plugin, versions 4.2.15 and earlier, developed by Techspawn. It is reachable over the network and requires only a low-privilege account (subscriber-level) to exploit, with no victim interaction needed. A successful attacker gains elevated permissions within the WordPress installation, enabling access to protected content, limited data modification, and partial disruption of site functionality. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-39546 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the MultiLoca plugin. Any image carrying MultiLoca at version 4.2.15 or earlier is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.6 (HIGH) and weighting it against each customer environment's configured compliance policy to determine urgency. Triage routing is available to direct alerts to the appropriate team inbox within each customer organization based on policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Techspawn ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress service over the network; no local or physical access is required.
AuthenticationRequired
A low-privilege account is sufficient; subscriber-level WordPress credentials are enough to trigger the escalation.
Victim interactionNot required
No user action or social-engineering step is needed; the attacker operates entirely on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental factors.

Blast Radius

A successful attacker gains elevated WordPress privileges beyond their subscriber role, unlocking access to restricted administrative or editorial functions.
Confidentiality impact is high: the attacker can read protected site content, configuration data, and potentially stored credentials or user records accessible to higher-privilege roles.
Integrity impact is partial: the attacker can modify persisted WordPress data such as posts, settings, or user metadata within the bounds of the escalated role.
Availability impact is partial: the attacker can disrupt normal site operation, for example by deactivating plugins or altering settings in ways that degrade functionality.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against all customer images that include the MultiLoca plugin at an affected version. Because Techspawn has not yet published a fix, HarborGuard re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild the moment an upstream release is available. In the interim, compensating controls available to customers include network-policy isolation to restrict unauthenticated and subscriber-level access paths to the affected plugin endpoints, egress filtering to limit post-exploitation reachability, and feature-flag or plugin-deactivation gating within WordPress to disable MultiLoca until a patch is published. For customers with auto-remediation enabled, the full rebuild, regression-test run, and PR flow will trigger automatically once a fix version is confirmed upstream.

See how HarborGuard automates this

Affected packages

Techspawn / MultiLoca
≤ 4.2.15

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

References

patchstack.com

Metrics

Get notified