Server-Side Request Forgery Vulnerability in User Language Switch Plugin for WordPress
CVE-2026-0745

5.5MEDIUM

Key Information:

Vendor: WordPress
Status: User Language Switch
Vendor: CVE Published:; 14 February 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-0745?

The User Language Switch plugin for WordPress allows authenticated users with Administrator-level access or higher to exploit a vulnerability in the 'download_language()' function. Due to insufficient URL validation, attackers can perform Server-Side Request Forgery, enabling them to initiate web requests to unintended external sites or internal services. This could lead to unauthorized data exposure, internal service manipulation, or other security breaches, emphasizing the importance of immediate patching or updating to mitigate risks.

Affected Version(s)

User Language Switch 0 <= 1.6.10

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-0745
Created by HORKimhab

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://downloads.wordpress.org/plugin/user-language-swit...

https://wordpress.org/plugins/user-language-switch/

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 15, 2026
👾
Exploit known to exist
May 15, 2026
Vulnerability published
Feb 14, 2026
Vulnerability Reserved
Jan 8, 2026

Credit

Bhumividh Treloges

CVE-2026-0745 Data

JSON