CVE-2026-0735 in User Language Switch Plugin
Summary
by MITRE • 02/14/2026
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tab_color_picker_language_switch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2026-0735 resides within the User Language Switch plugin for WordPress, specifically targeting versions up to and including 1.6.10. This represents a critical stored cross-site scripting vulnerability that exploits the 'tab_color_picker_language_switch' parameter, demonstrating a fundamental flaw in input validation and output sanitization mechanisms. The vulnerability's impact is amplified by its requirement for authenticated administrator-level access, making it particularly dangerous in environments where administrative privileges are compromised or mismanaged.
The technical flaw stems from insufficient input sanitization and inadequate output escaping practices within the plugin's codebase. When administrators interact with the language switch functionality, the 'tab_color_picker_language_switch' parameter fails to properly validate or sanitize user-supplied input before storing it within the WordPress database. This stored malicious content then executes whenever legitimate users access pages containing the injected script, creating a persistent threat vector that can affect multiple users within the same installation. The vulnerability's classification aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws, and demonstrates poor input validation practices that violate secure coding principles.
The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent backdoor for attackers within multi-site WordPress installations. The requirement for unfiltered_html to be disabled further restricts the exploitation window, but simultaneously highlights the plugin's failure to implement proper security controls even within restricted environments. Attackers can leverage this vulnerability to execute malicious scripts that could steal session cookies, redirect users to phishing sites, or perform additional malicious activities. The multi-site installation requirement means that a successful attack could potentially compromise multiple sites within a single WordPress network, amplifying the attack surface and impact.
This vulnerability directly maps to several ATT&CK techniques including T1566 for credential access through social engineering and T1059 for command and scripting interpreter execution. The attack chain typically begins with an attacker gaining administrator access, which then allows them to inject malicious scripts through the vulnerable parameter. The stored nature of the XSS means that the attack persists even after the initial compromise, creating a long-term threat that can be exploited repeatedly. Organizations should consider this vulnerability in the context of their overall security posture, particularly regarding privilege management and the principle of least privilege.
Mitigation strategies should focus on immediate plugin updates to versions that address the sanitization and escaping issues, alongside comprehensive security audits of all installed plugins. System administrators should implement strict access controls and monitoring of administrative activities, as the vulnerability requires elevated privileges to exploit. Additionally, organizations should consider implementing content security policies and regular security scanning to detect similar vulnerabilities across their WordPress installations. The vulnerability highlights the importance of proper input validation and output escaping practices, reinforcing the need for security-conscious development practices and regular security assessments of third-party components.