{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0735", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-08T15:59:02.041Z", "datePublished": "2026-02-14T06:42:34.475Z", "dateUpdated": "2026-04-08T17:21:18.773Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:18.773Z"}, "affected": [{"vendor": "webilop", "product": "User Language Switch", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tab_color_picker_language_switch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "User Language Switch <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'tab_color_picker_language_switch' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6f61e13-20fb-4cef-bae7-2cd5fa038175?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-language-switch/trunk/uls-options.php#L365"}, {"url": "https://plugins.trac.wordpress.org/browser/user-language-switch/tags/1.6.10/uls-options.php#L365"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "timeline": [{"time": "2026-02-13T18:31:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:36:31.736147Z", "id": "CVE-2026-0735", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:45:29.184Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0735", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:36:31.736147Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:36:32.354Z"}}], "cna": {"title": "User Language Switch <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'tab_color_picker_language_switch' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "webilop", "product": "User Language Switch", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T18:31:14.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6f61e13-20fb-4cef-bae7-2cd5fa038175?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-language-switch/trunk/uls-options.php#L365"}, {"url": "https://plugins.trac.wordpress.org/browser/user-language-switch/tags/1.6.10/uls-options.php#L365"}], "descriptions": [{"lang": "en", "value": "The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tab_color_picker_language_switch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:18.773Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0735", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:18.773Z", "dateReserved": "2026-01-08T15:59:02.041Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:34.475Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tab_color_picker_language_switch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El plugin User Language Switch para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'tab_color_picker_language_switch' en todas las versiones hasta la 1.6.10, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de nivel de administrador y superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto solo afecta a instalaciones multisitio y a las instalaciones donde se ha deshabilitado unfiltered_html."}], "id": "CVE-2026-0735", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:08.770", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/user-language-switch/tags/1.6.10/uls-options.php#L365"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/user-language-switch/trunk/uls-options.php#L365"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6f61e13-20fb-4cef-bae7-2cd5fa038175?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "product": "user_language_switch", "vendor": "webilop"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:26:41.825920+00:00", "value": {"mitigation_remediation": ["Upgrade the User Language Switch plugin to the latest release that fixes the stored cross\u2011site scripting vulnerability.", "If an upgrade is not immediately possible, remove the plugin entirely from the WordPress installation until the issue is resolved.", "If removal is not an option, disable the multisite feature or ensure that only non\u2011admin users can access the configuration pages that modify the 'tab_color_picker_language_switch' parameter to reduce the attack surface."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress installations running the webilop User Language Switch plugin version 1.6.10 or earlier. The vulnerability is present when the site is configured for multisite support and when the role has administrator-level access. Models of the environment include any WordPress installation that uses the plugin\u2019s configuration options accessed by administrators.", "description_and_impact": "The User Language Switch plugin for WordPress has a stored cross\u2011site scripting flaw that allows an authenticated attacker with administrator privileges or higher to inject arbitrary JavaScript via the 'tab_color_picker_language_switch' parameter. When the affected parameter is stored, the injected script runs in the context of any user's browser that views the affected page, potentially enabling credential theft, session hijacking, or defacement. The flaw exists in all plugin versions up to and including 1.6.10 and requires that the site run as a multisite installation with the unfiltered_html capability disabled.", "risk_and_exploitability": "The CVSS score of 4.4 indicates moderate risk while the EPSS score of less than 1% suggests a low probability of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog, meaning it has not been observed in widespread exploitation. Exploitation requires an attacker to obtain or compromise an administrator account and modify the plugin\u2019s option value, implying that credential compromise or social engineering are primary attack vectors. Once the parameter is modified, the stored script executes for all visitors of the affected pages, making this a useful threat for attackers with privileged access."}}}}, "created": "2026-02-16T12:02:05.622462+00:00", "updated": "2026-04-15T18:30:10.952075+00:00", "vendors": ["webilop", "webilop$PRODUCT$user_language_switch", "wordpress", "wordpress$PRODUCT$wordpress"]}