ByteOS Network

CVE Vulnerability Details :

CVE-2026-0745

PUBLISHED

More Info Official Page

Assigner-Wordfence

Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599

Published At-14 Feb, 2026 | 06:42

Updated At-14 Feb, 2026 | 06:42

▼CVE Numbering Authority (CNA)

User Language Switch <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter

The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'download_language()' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affected Products

Vendor

webilop

Product

User Language Switch

Default Status

unaffected

Versions

Affected

From * through 1.6.10 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-918	CWE-918 Server-Side Request Forgery (SSRF)

Type: CWE

CWE ID: CWE-918

Description: CWE-918 Server-Side Request Forgery (SSRF)

Metrics

Version	Base score	Base severity	Vector
3.1	7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Version: 3.1

Base score: 7.2

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Credits

finder

Bhumividh Treloges

Timeline

Event	Date
Disclosed	2026-02-13 18:30:57

Event: Disclosed

Date: 2026-02-13 18:30:57

References

Hyperlink	Resource
https://www.wordfence.com/threat-intel/vulnerabilities/id/4d8d15be-6a7b-485e-a338-ccf1a6eb226c?source=cve	N/A
https://downloads.wordpress.org/plugin/user-language-switch.zip	N/A
https://wordpress.org/plugins/user-language-switch/	N/A
https://plugins.trac.wordpress.org/browser/user-language-switch/trunk/uls-options.php#L451	N/A
https://plugins.trac.wordpress.org/browser/user-language-switch/tags/1.6.10/uls-options.php#L451	N/A