Vulnerabilities and security researches foruser-language-switch user-language-switch

Aug 12, 2025

CVE, Research URL: CVE-2025-49064
Home page URL: Security reports for User Language Switch
Application: User Language Switch
Date: Aug 14, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webilop User Language Switch user-language-switch allows Reflected XSS.This issue affects User Language Switch: from n/a through <= 1.6.10.
Affected versions: max 1.6.10.
Status: vulnerable

Apr 15, 2026

CVE, Research URL: CVE-2026-0735
Home page URL: Security reports for User Language Switch
Application: User Language Switch
Date: Feb 14, 2026
Research Description: The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tab_color_picker_language_switch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 1.6.10.
Status: vulnerable

CVE, Research URL: CVE-2026-0745
Home page URL: Security reports for User Language Switch
Application: User Language Switch
Date: Feb 14, 2026
Research Description: The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'download_language()' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Affected versions: max 1.6.10.
Status: vulnerable