CVE-2022-38461: 
WordPress vulnerability analysis and mitigation

A Broken Access Control vulnerability was discovered in the WPML Multilingual CMS premium WordPress plugin versions 4.5.10 and below, identified as CVE-2022-38461. The vulnerability was publicly disclosed on November 9, 2022, and affects users with subscriber-level privileges or higher. The issue stems from missing authorization checks when updating specific language settings (WPScan, Patchstack).

The vulnerability is classified as a Broken Access Control issue (OWASP Top 10 A5) with a CVSS score of 5.4 (Medium severity). The security flaw specifically involves the absence of authorization checks when updating the selected language for legacy widgets and default behavior for media content settings. This vulnerability is categorized under CWE-862 (Missing Authorization) (Patchstack).

The vulnerability allows authenticated users with subscriber-level access or higher to modify language settings for legacy widgets and media content settings, potentially affecting the website's multilingual functionality and content presentation. This unauthorized access could lead to unintended changes in the site's language configuration (WPScan).

The vulnerability has been fixed in version 4.5.11 of the WPML Multilingual CMS plugin. Site administrators are advised to update to version 4.5.11 or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).