WordPress Security Bulletin: User Language Switch Plugin Vulnerability (CVE-2026-0745)

On this page

Security Alert Summary

The User Language Switch plugin for WordPress is affected by a Server-Side Request Forgery (SSRF) vulnerability in versions up to and including 1.6.10. The issue is caused by missing URL validation in a function that handles language downloads, which can allow an attacker to make web requests from the application to arbitrary locations and interact with internal services.

CVE Details

  • CVE ID: CVE-2026-0745
  • Affected plugin / component: User Language Switch plugin for WordPress
  • Affected versions: All versions up to and including 1.6.10
  • Fixed version: Not specified in the CVE entry
  • Published date: February 14, 2026 at 7:16:09 AM
  • Last modified date: February 14, 2026 at 7:16:09 AM
  • CVSS v3.1 base score: 7.2
  • CVSS severity: HIGH
  • CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Authentication / Privileges / User interaction (from CVSS data): Privileges Required: NONE; User Interaction: NONE; (CVSS indicates no privileges required). Note: the CVE description states the issue can be exploited by authenticated attackers with Administrator-level access and above.
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • CWE / weakness: CWE-918 (Server-Side Request Forgery)

Technical Details

The vulnerability is a Server-Side Request Forgery (SSRF) caused by missing URL validation in the plugin’s language download handling. The CVE description identifies the affected code path as the download_language() function. Because the function does not properly validate destination URLs, an attacker can cause the web application to perform HTTP requests to arbitrary locations on behalf of the server.

Successful exploitation allows the application to reach internal network resources or third-party services from the server context. The CVE description explicitly notes this can be used to query and modify information from internal services. The issue exists due to insufficient input validation on the URL used by the download routine.

How This Could Impact Your Website

Consider a small organization running WordPress where the site owner manages high-level settings, internal staff maintain content, and an external contractor occasionally performs translations or plugin configuration. If an attacker is able to exploit this SSRF path (per the CVE, the description suggests attackers with Administrator-level access), they could use the server to reach internal endpoints not normally accessible from the public internet. That could reveal internal data exposed by accessible endpoints or allow limited interactions with internal services that accept requests from the web application.

Practical consequences include the potential exposure of internal API responses or other data that may contain user identifiers or contact information, which in turn increases the risk of targeted phishing or social engineering against staff or contractors. The confidentiality and integrity impacts are rated as low by the CVSS metrics, so this vulnerability is unlikely to by itself result in full site takeover, but it can be a useful reconnaissance or lateral-movement aid for an attacker.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and any accounts with Administrator-level access.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from the site.
  • Monitor site activity and server logs for unusual behavior, such as unexpected outbound HTTP requests originating from WordPress processes.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References