CVE-2026-0735 Overview
The User Language Switch plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the tab_color_picker_language_switch parameter affecting all versions up to and including 1.6.10. Due to insufficient input sanitization and output escaping, authenticated attackers with administrator-level access can inject arbitrary web scripts that execute whenever a user accesses an injected page. This vulnerability specifically impacts WordPress multi-site installations and installations where unfiltered_html has been disabled.
Critical Impact
Attackers with administrative access can inject persistent malicious scripts that execute in the context of other users' sessions, potentially leading to session hijacking, credential theft, or further site compromise.
Affected Products
- User Language Switch plugin for WordPress versions up to and including 1.6.10
- WordPress multi-site installations using the affected plugin
- WordPress single-site installations with unfiltered_html capability disabled
Discovery Timeline
- 2026-02-14 - CVE-2026-0735 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-0735
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists within the User Language Switch plugin's administrative options handling, specifically in the uls-options.php file. The vulnerability arises from the plugin's failure to properly sanitize and escape user-supplied input in the tab_color_picker_language_switch parameter before storing it in the database and rendering it on pages.
The attack requires high privileges (administrator-level access) and targets multi-site WordPress installations or sites where the unfiltered_html capability has been explicitly disabled. When unfiltered_html is disabled, WordPress normally strips dangerous HTML from administrator inputs, but this plugin's custom parameter handling bypasses those protections. The scope is changed, meaning the vulnerability can affect resources beyond the security scope of the vulnerable component, potentially impacting other users viewing injected pages.
Root Cause
The root cause is a CWE-79 (Improper Neutralization of Input During Web Page Generation) weakness in the plugin's options handling. The tab_color_picker_language_switch parameter accepts color picker input that is not properly sanitized using WordPress functions like sanitize_text_field() or esc_attr() before being stored in the database. When this stored data is later rendered on pages, it is output without proper escaping via functions like esc_html() or wp_kses(), allowing malicious JavaScript to execute in victims' browsers.
Attack Vector
The attack is network-based and requires an authenticated attacker with administrator-level privileges to access the plugin's settings page. The attacker crafts a malicious payload containing JavaScript code and submits it through the tab_color_picker_language_switch color picker field. Once stored, the malicious script executes whenever any user—including other administrators or super admins on multi-site installations—accesses a page where this parameter value is rendered.
The vulnerability mechanism involves injecting script content into the color picker parameter. For detailed technical analysis, refer to the vulnerable code at line 365 of uls-options.php in the WordPress plugin repository.
Detection Methods for CVE-2026-0735
Indicators of Compromise
- Unexpected JavaScript or HTML content in the tab_color_picker_language_switch option value in the WordPress database
- Unusual script tags or event handlers stored in User Language Switch plugin settings
- Browser console errors indicating blocked or executed inline scripts on pages utilizing the plugin
Detection Strategies
- Review the WordPress wp_options table for the User Language Switch plugin settings containing suspicious JavaScript, <script> tags, or event handler attributes
- Monitor WordPress admin activity logs for unauthorized changes to the plugin's color picker settings
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
Monitoring Recommendations
- Enable comprehensive logging of WordPress administrative actions, particularly settings modifications
- Deploy a Web Application Firewall (WAF) with XSS detection signatures to monitor for malicious payload injection attempts
- Regularly audit plugin settings in multi-site installations for unexpected or suspicious values
How to Mitigate CVE-2026-0735
Immediate Actions Required
- Update the User Language Switch plugin to the latest patched version beyond 1.6.10 immediately
- Review and sanitize existing plugin settings to remove any potentially malicious stored content
- Temporarily deactivate the plugin on multi-site installations until patches can be applied
Patch Information
The vulnerability has been addressed in the trunk version of the plugin. Administrators should update to the latest available version from the WordPress plugin repository. Review the updated code in the trunk branch to verify the fix has been applied. Additional details are available in the Wordfence vulnerability report.
Workarounds
- Restrict administrator access on multi-site installations to trusted users only until the patch is applied
- Implement Content Security Policy headers to mitigate the impact of any successfully stored XSS payloads
- Consider enabling unfiltered_html capability temporarily for administrators on single-site installations as an alternative protection (note: this has other security implications and should be evaluated carefully)
# Verify current plugin version
wp plugin list --name=user-language-switch --fields=name,version
# Update to latest version
wp plugin update user-language-switch
# Check plugin settings for suspicious content
wp option get uls_options | grep -i "script\|javascript\|onerror\|onload"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
