The User Language Switch plugin for WordPress has a stored cross‑site scripting flaw that allows an authenticated attacker with administrator privileges or higher to inject arbitrary JavaScript via the 'tab_color_picker_language_switch' parameter. When the affected parameter is stored, the injected script runs in the context of any user's browser that views the affected page, potentially enabling credential theft, session hijacking, or defacement. The flaw exists in all plugin versions up to and including 1.6.10 and requires that the site run as a multisite installation with the unfiltered_html capability disabled.

WordPress installations running the webilop User Language Switch plugin version 1.6.10 or earlier. The vulnerability is present when the site is configured for multisite support and when the role has administrator-level access. Models of the environment include any WordPress installation that uses the plugin’s configuration options accessed by administrators.

The CVSS score of 4.4 indicates moderate risk while the EPSS score of less than 1% suggests a low probability of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog, meaning it has not been observed in widespread exploitation. Exploitation requires an attacker to obtain or compromise an administrator account and modify the plugin’s option value, implying that credential compromise or social engineering are primary attack vectors. Once the parameter is modified, the stored script executes for all visitors of the affected pages, making this a useful threat for attackers with privileged access.