CVE-2025-9623 Overview
CVE-2025-9623 is a Cross-Site Request Forgery (CSRF) vulnerability in the Admin in English with Switch plugin for WordPress. The flaw affects all versions up to and including 1.1. The root cause is missing or incorrect nonce validation on the enable_eng function.
Unauthenticated attackers can modify administrator language settings by tricking a site administrator into clicking a crafted link or visiting a malicious page. The vulnerability is classified under [CWE-352] (Cross-Site Request Forgery) and requires user interaction to succeed. Exploitation does not require authentication on the target site, but it does depend on a targeted administrator triggering the forged request.
Critical Impact
Attackers can alter administrator language settings on affected WordPress sites by luring an authenticated administrator into clicking a malicious link.
Affected Products
- WordPress Admin in English with Switch plugin — all versions through 1.1
- WordPress sites with the plugin installed and active
- Administrator accounts on affected installations
Discovery Timeline
- 2025-09-11 - CVE-2025-9623 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9623
Vulnerability Analysis
The Admin in English with Switch plugin allows WordPress administrators to switch the admin interface language. The enable_eng function processes requests to change this setting but fails to properly validate a WordPress nonce token. Nonce validation is the standard WordPress mechanism to confirm that a state-changing request originated from a legitimate user interface flow rather than an external source.
Because the check is missing or incorrect, the plugin accepts requests that lack proof of origin. An attacker can craft a request that changes the language setting and embed it in a page or link. When a logged-in administrator visits the attacker-controlled resource, the browser transmits the administrator's session cookies with the forged request. The server then processes the change as if the administrator initiated it.
The impact is limited to integrity of language configuration. Confidentiality and availability are not directly affected, and no code execution path is exposed through this specific flaw.
Root Cause
The root cause is the absence of proper nonce validation on the enable_eng handler, as documented in the plugin source at lines 106 and 113 of admin-in-english-with-switch.php in the 1.1 release. WordPress provides wp_verify_nonce() and check_admin_referer() for exactly this purpose, but the handler does not enforce either check before applying changes.
Attack Vector
The attack requires the victim administrator to be authenticated to WordPress and to interact with attacker-controlled content in the same browser session. A typical chain involves a phishing email, a comment link, or a compromised third-party site containing a hidden form or image tag that issues the forged request to the vulnerable endpoint. The vulnerability manifests when the plugin processes the request without verifying its origin. Refer to the Wordfence Vulnerability Report and the WordPress Plugin Source Code for technical details.
Detection Methods for CVE-2025-9623
Indicators of Compromise
- Unexpected changes to the WordPress administrator interface language setting without a corresponding user-initiated action.
- HTTP requests to the plugin's enable_eng endpoint with Referer headers pointing to external or untrusted origins.
- Administrator sessions performing state changes shortly after visiting external links or emails.
Detection Strategies
- Monitor WordPress access logs for requests to admin-in-english-with-switch endpoints that lack a valid nonce parameter.
- Alert on POST or GET requests to plugin handlers originating from cross-site Referer values.
- Correlate administrator language setting changes with authentication events and browsing telemetry to identify social engineering patterns.
Monitoring Recommendations
- Enable verbose logging on the WordPress admin plane and forward logs to a centralized analysis platform.
- Track plugin version inventory across all managed WordPress installations to identify vulnerable 1.1 or earlier deployments.
- Review administrator activity dashboards for setting modifications that do not align with expected user workflows.
How to Mitigate CVE-2025-9623
Immediate Actions Required
- Deactivate the Admin in English with Switch plugin until a patched version is available and validated.
- Audit WordPress sites for the presence and version of the affected plugin.
- Educate administrators about CSRF-based social engineering and the risk of clicking untrusted links while authenticated to WordPress admin panels.
Patch Information
At the time of publication, the NVD entry does not reference a fixed release beyond version 1.1. Site operators should monitor the WordPress plugin repository and the Wordfence Vulnerability Report for an updated release that introduces nonce validation on the enable_eng function.
Workarounds
- Remove or disable the plugin on all WordPress installations until a fixed version is released.
- Restrict WordPress admin access to trusted IP ranges using web server or firewall rules.
- Deploy a web application firewall rule that blocks requests to the plugin endpoint lacking a same-origin Referer header and a valid _wpnonce parameter.
- Require administrators to use separate browser profiles or sessions for WordPress administration to reduce cross-site request exposure.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

