{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22462", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:43:59.553Z", "datePublished": "2026-01-22T16:52:40.088Z", "dateUpdated": "2026-04-28T17:16:26.368Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "add-polylang-support-for-customizer", "product": "Add Polylang support for Customizer", "vendor": "richardevcom", "versions": [{"lessThanOrEqual": "1.4.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:29.466Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery.<p>This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery.This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:44.569Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/add-polylang-support-for-customizer/vulnerability/wordpress-add-polylang-support-for-customizer-plugin-1-4-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Add Polylang support for Customizer plugin <= 1.4.5 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T20:37:12.338050Z", "id": "CVE-2026-22462", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:16:26.368Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22462", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:43:59.553Z", "datePublished": "2026-01-22T16:52:40.088Z", "dateUpdated": "2026-04-28T17:16:26.368Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "add-polylang-support-for-customizer", "product": "Add Polylang support for Customizer", "vendor": "richardevcom", "versions": [{"lessThanOrEqual": "1.4.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:29.466Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery.<p>This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery.This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:44.569Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/add-polylang-support-for-customizer/vulnerability/wordpress-add-polylang-support-for-customizer-plugin-1-4-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Add Polylang support for Customizer plugin <= 1.4.5 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22462", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T20:37:12.338050Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:37:25.665Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery.This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en richardevcom Add Polylang support para Customizer add-polylang-support-for-customizer permite falsificaci\u00f3n de petici\u00f3n en sitios cruzados. Este problema afecta a Add Polylang support para Customizer: desde n/a hasta &lt;= 1.4.5."}], "id": "CVE-2026-22462", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:35.030", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/add-polylang-support-for-customizer/vulnerability/wordpress-add-polylang-support-for-customizer-plugin-1-4-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T17:55:29.171907+00:00", "value": {"mitigation_remediation": ["Update the Add Polylang Support for Customizer plugin to a patched release that includes CSRF protection.", "If no patch is available, completely deactivate the plugin or block access to its administrative pages until the update is applied.", "Deploy a web application firewall or implement custom request logic that rejects any state\u2011changing request lacking a valid CSRF token to guard against the flaw."], "summary": {"action": "Patch ASAP", "impact": "Unauthorized actions via CSRF"}, "threat_synthesis": {"affected_systems": "All installations of the Add Polylang Support for Customizer plugin version\u00a01.4.5 or earlier provided by the vendor richardevcom. The flaw resides in the plugin\u2019s request handling, so every WordPress site that has the plugin active and in any core version is affected.", "description_and_impact": "The Add Polylang Support for Customizer plugin for WordPress is vulnerable to a token\u2011less cross\u2011site request forgery flaw (CWE\u2011352). An attacker who can trick a legitimate user into visiting a crafted URL may cause that user\u2019s browser to send authenticated requests to the WordPress site, inadvertently altering settings, modifying content, or performing other privileged actions depending on the user\u2019s permissions. The vulnerability allows unintended execution of user\u2011triggered actions, which can compromise configuration integrity and content authenticity.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while an EPSS score of less than 1% suggests exploitation likelihood is currently low. The flaw is not listed in the CISA KEV catalog, further implying limited known exploitation. The likely attack vector is a victim user with site administrator or editor privileges who is lured into clicking a malicious link; network\u2011only or remote code execution is not required. An attacker could embed the crafted link in emails, forums, or advertisements to conduct the attack. Given the low exploitation probability, the main risk is exposure to accidental or targeted CSRF attacks while awaiting a vendor patch."}}}}, "created": "2026-01-23T16:28:02.065267+00:00", "updated": "2026-04-16T18:00:11.170430+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}