How is CVE-2026-54805 exploited?

Network reachability (required): The attacker must be able to reach the WordPress site over the network; the vulnerable plugin endpoint is exposed via the standard HTTP interface. Authentication (required): A low-privilege account such as a subscriber role is sufficient; no administrative credentials are needed. Victim interaction (not-required): The attacker does not need to trick or involve any other user; exploitation is performed entirely by the attacker alone. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

What is the impact of CVE-2026-54805?

Attacker escalates from a subscriber-level account to higher-privilege roles, gaining access to WordPress administrative functions. Elevated access allows reading of all site content, user data, and configuration settings including stored credentials or API keys managed through the WordPress backend. With elevated privileges, the attacker can modify site content, install or alter plugins and themes, and change user account settings including administrator passwords. Full compromise of confidentiality, integrity, and availability of the WordPress instance and any data it stores or processes is achievable after escalation.

Back to search

HIGHCVE-2026-54805Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54805: WordPress Falang multilanguage plugin <= 1.4.2 - Privilege Escalation vulnerability

Q: What is CVE-2026-54805?

This is a privilege escalation vulnerability in the Falang multilanguage plugin for WordPress, affecting versions 1.4.2 and earlier. It is exploitable over the network by any authenticated user with a low-privilege account such as a subscriber, and requires no interaction from another user or administrator. Successful exploitation allows an attacker to elevate their privileges within the WordPress site, gaining unauthorized access to administrative functions and data. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-54805 patched?

No fix version has been published by the upstream maintainer as of the CVE publication date. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger without manual intervention.

Subscriber Privilege Escalation in Falang multilanguage <= 1.4.2 versions.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in the Falang multilanguage plugin for WordPress, affecting versions 1.4.2 and earlier. It is exploitable over the network by any authenticated user with a low-privilege account such as a subscriber, and requires no interaction from another user or administrator. Successful exploitation allows an attacker to elevate their privileges within the WordPress site, gaining unauthorized access to administrative functions and data. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-54805 is available across every HarborGuard environment. The CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer container images, including custom-built WordPress images, in registries and CI/CD pipelines.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published by the upstream maintainer as of the CVE publication date. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WordPress site over the network; the vulnerable plugin endpoint is exposed via the standard HTTP interface.
AuthenticationRequired
A low-privilege account such as a subscriber role is sufficient; no administrative credentials are needed.
Victim interactionNot required
The attacker does not need to trick or involve any other user; exploitation is performed entirely by the attacker alone.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

Blast Radius

Attacker escalates from a subscriber-level account to higher-privilege roles, gaining access to WordPress administrative functions.
Elevated access allows reading of all site content, user data, and configuration settings including stored credentials or API keys managed through the WordPress backend.
With elevated privileges, the attacker can modify site content, install or alter plugins and themes, and change user account settings including administrator passwords.
Full compromise of confidentiality, integrity, and availability of the WordPress instance and any data it stores or processes is achievable after escalation.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-54805 is active and matches against any customer image containing the Falang multilanguage plugin at version 1.4.2 or earlier, including custom WordPress images built in-house. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory and the plugin repository on every ingest cycle. The moment a fix version is published, a patched-image rebuild becomes available automatically, and customers with auto-remediation enabled will receive a rebuilt image, a regression test run, and a PR opened against affected workloads without manual steps. In the interim, compensating controls worth considering include restricting subscriber-level registration on affected WordPress instances, applying a web application firewall rule to block requests associated with the vulnerable endpoint, and using network policy to limit inbound access to the WordPress service to known and trusted sources only.

See how HarborGuard automates this

Affected packages

sbouey / Falang multilanguage
≤ 1.4.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified