CVE-2026-0745
Unknown Unknown - Not Provided
Server-Side Request Forgery in WordPress User Language Switch Plugin

Publication date: 2026-02-14

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'download_language()' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0745
EUVD
EUVD-2026-6065
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webilop user_language_switch to 1.6.10 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The User Language Switch plugin for WordPress has a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 1.6.10. This vulnerability exists because the 'download_language()' function does not properly validate URLs.

As a result, authenticated attackers with Administrator-level access or higher can make the web application send requests to arbitrary locations. This can be exploited to query and modify information from internal services that are otherwise not accessible.

Impact Analysis

This vulnerability allows attackers with administrator privileges to make the web application send requests to arbitrary internal or external locations. This can lead to unauthorized access or modification of sensitive internal information.

Such an attack could compromise internal services, potentially exposing confidential data or allowing attackers to manipulate internal systems.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "The vulnerability exists in the 'download_language()' function of the User Language Switch WordPress plugin, which allows authenticated administrators to make arbitrary web requests due to missing URL validation."}, {'type': 'paragraph', 'content': 'Detection would involve monitoring for unusual outbound web requests originating from the WordPress application, especially those triggered by administrator actions.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires administrator-level access, checking for suspicious administrator activity or unexpected HTTP requests to internal or external URLs from the web server logs could help.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources.'}] [1, 3]

Mitigation Strategies

Immediate mitigation steps include removing or disabling the User Language Switch plugin, as it is vulnerable up to version 1.6.10 and has been abandoned and removed from the WordPress repository.

Restrict administrator access to trusted users only, since exploitation requires administrator-level privileges.

Monitor and restrict outgoing web requests from the WordPress server to prevent abuse of the SSRF vulnerability.

Consider applying web application firewall (WAF) rules to block suspicious requests related to the vulnerable function.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0745. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart