Stored Cross-Site Scripting in User Language Switch Plugin by WordPress
CVE-2026-0735

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: User Language Switch
Vendor: CVE Published:; 14 February 2026

What is CVE-2026-0735?

The User Language Switch plugin for WordPress has a vulnerability that allows authenticated attackers with administrator-level access to perform Stored Cross-Site Scripting. This weakness arises through the 'tab_color_picker_language_switch' parameter, where insufficient input sanitization and output escaping can be exploited. Attackers can inject arbitrary web scripts into pages, and these scripts will execute when an unsuspecting user accesses an affected page. This issue primarily impacts multi-site installations and those with 'unfiltered_html' disabled, presenting a significant risk to user security.

Affected Version(s)

User Language Switch 0 <= 1.6.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/user-language-...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 14, 2026
Vulnerability Reserved
Jan 8, 2026

Credit

Bhumividh Treloges

CVE-2026-0735 Data

JSON