Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webilop User Language Switch user-language-switch allows Reflected XSS.This issue affects User Language Switch: from n/a through <= 1.6.10.
Published: 2025-08-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in the Webilop User Language Switch plugin, version 1.6.10 and earlier. The plugin fails to properly neutralize user input when generating a page, allowing an attacker to inject arbitrary JavaScript via the language selection parameter. This vulnerability aligns with CWE‑79, and an attacker could execute arbitrary code in the context of a victim’s browser.

Affected Systems

The issue affects installations of the Webilop User Language Switch plugin from its earliest releases through version 1.6.10. Any WordPress site using this plugin within that version range is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact. The EPSS score of less than 1% suggests a low probability of widespread exploitation at the moment, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is a malicious URL or query string that an unsuspecting user clicks, resulting in browser execution of injected scripts.

Generated by OpenCVE AI on April 30, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Language Switch plugin to the latest release that includes the XSS fix.
  • If upgrading is not immediately possible, disable the language switch feature or remove the plugin until a patch is applied.
  • Implement input validation or output encoding for the language selection parameter, and consider applying a content security policy to mitigate reflected XSS attacks.

Generated by OpenCVE AI on April 30, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24770 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webilop User Language Switch allows Reflected XSS. This issue affects User Language Switch: from n/a through 1.6.10.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webilop User Language Switch allows Reflected XSS. This issue affects User Language Switch: from n/a through 1.6.10. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webilop User Language Switch user-language-switch allows Reflected XSS.This issue affects User Language Switch: from n/a through <= 1.6.10.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webilop User Language Switch allows Reflected XSS. This issue affects User Language Switch: from n/a through 1.6.10.
Title WordPress User Language Switch plugin <= 1.6.10 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:32:15.403Z

Reserved: 2025-05-30T14:04:42.920Z

Link: CVE-2025-49064

cve-icon Vulnrichment

Updated: 2025-08-14T19:55:49.451Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:39.213

Modified: 2026-04-23T15:31:15.910

Link: CVE-2025-49064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')