Attack Vectors

Product: User Language Switch (slug: user-language-switch)

Severity: Medium (CVSS 4.4; CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) — CVE-2026-0735 (view CVE record).

This issue is a Stored Cross-Site Scripting (XSS) vulnerability affecting User Language Switch versions up to and including 1.6.10. An attacker must already have authenticated administrator-level access (or higher) to the WordPress environment to inject malicious script via the tab_color_picker_language_switch parameter.

Once injected, the malicious code can execute when someone accesses a page or area where the stored content is rendered. Notably, the vendor advisory indicates this only affects multi-site installations and installations where unfiltered_html has been disabled.

Security Weakness

The core weakness is insufficient input sanitization and output escaping for the tab_color_picker_language_switch parameter. In practical terms, the plugin can accept content that includes script-like payloads and later render it in a way that the browser interprets as active code.

Because this is a stored XSS issue, the risk is not limited to a single click or session: once the payload is saved, it can persist and trigger repeatedly for future visitors to the affected admin or site pages.

For organizations that run WordPress multi-site or that have tightened HTML permissions (for example, by disabling unfiltered_html), this condition can create an unexpected exposure path inside trusted workflows.

Technical or Business Impacts

Even at a Medium severity rating, stored XSS can carry meaningful business risk—especially in environments where multiple stakeholders use the WordPress admin area and where the site is a key revenue and brand channel.

Potential impacts include: unauthorized changes to visible site content, manipulation of pages or settings within the user’s browser session, and increased likelihood of follow-on compromise through social engineering or misuse of trusted admin access. Depending on who triggers the injected script (e.g., staff, partners, or content teams), the blast radius can extend across workflows and properties in a multi-site setup.

Operational and compliance impacts: brand damage from defaced pages or injected messaging, loss of campaign integrity (altered landing pages, tracking tags, or CTAs), incident response costs, and potential reporting obligations if user data is exposed through browser-based actions. For regulated organizations, this can also raise audit and governance concerns around change control and privileged access.

Remediation status: there is no known patch available at this time. Based on your organization’s risk tolerance, consider mitigations such as restricting administrator access, tightening governance over plugin usage in multi-site environments, increasing monitoring for suspicious admin activity, and—where appropriate—uninstalling User Language Switch and selecting a replacement.

Similar Attacks

Stored XSS is a common class of web vulnerability and has been widely discussed in the context of CMS ecosystems (including WordPress). For background and real-world context, the following resources provide reputable examples and explanations:

OWASP: Cross Site Scripting (XSS)
PortSwigger Web Security Academy: Stored XSS
Wordfence advisory for User Language Switch (CVE-2026-0735)