The Admin in English with Switch plugin for WordPress suffers from a Cross‑Site Request Forgery flaw caused by missing or incorrect nonce validation on the enable_eng function. This vulnerability allows an unauthenticated attacker to craft a forged request and, if an administrator clicks a link, change language settings without knowledge of any credentials. The impact is the unauthorized alteration of configuration data, which can degrade the user experience, disrupt content management, or be used as a stepping stone for further social‑engineering attacks. The weakness is typical of a CSRF flaw (CWE‑352).

WordPress sites that have the Admin in English with Switch plugin installed, version 1.1 or earlier. The plugin is distributed under the “dontcare:Admin in English with Switch” package name, and any site running any pre‑1.2 release is vulnerable.

The CVSS score of 4.3 places this vulnerability in the low‑to‑medium range, and an EPSS score of less than 1% indicates negligible exploitation probability in the wild. The problem is not listed in the CISA KEV catalog, and there are no known active exploit campaigns. The probable attack vector involves an unauthenticated, web‑based request that a legitimate administrator may be tricked into executing by visiting a malicious link or clicking a disguised button. Once the attacker can make the request, the missing nonce verification will let the plugin change the language settings without further authentication.