Description
Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery.This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5.
Published: 2026-01-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized actions via CSRF
Action: Patch ASAP
AI Analysis

Impact

The Add Polylang Support for Customizer plugin for WordPress is vulnerable to a token‑less cross‑site request forgery flaw (CWE‑352). An attacker who can trick a legitimate user into visiting a crafted URL may cause that user’s browser to send authenticated requests to the WordPress site, inadvertently altering settings, modifying content, or performing other privileged actions depending on the user’s permissions. The vulnerability allows unintended execution of user‑triggered actions, which can compromise configuration integrity and content authenticity.

Affected Systems

All installations of the Add Polylang Support for Customizer plugin version 1.4.5 or earlier provided by the vendor richardevcom. The flaw resides in the plugin’s request handling, so every WordPress site that has the plugin active and in any core version is affected.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while an EPSS score of less than 1% suggests exploitation likelihood is currently low. The flaw is not listed in the CISA KEV catalog, further implying limited known exploitation. The likely attack vector is a victim user with site administrator or editor privileges who is lured into clicking a malicious link; network‑only or remote code execution is not required. An attacker could embed the crafted link in emails, forums, or advertisements to conduct the attack. Given the low exploitation probability, the main risk is exposure to accidental or targeted CSRF attacks while awaiting a vendor patch.

Generated by OpenCVE AI on April 16, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Add Polylang Support for Customizer plugin to a patched release that includes CSRF protection.
  • If no patch is available, completely deactivate the plugin or block access to its administrative pages until the update is applied.
  • Deploy a web application firewall or implement custom request logic that rejects any state‑changing request lacking a valid CSRF token to guard against the flaw.

Generated by OpenCVE AI on April 16, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery.This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5.
Title WordPress Add Polylang support for Customizer plugin <= 1.4.5 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T17:16:26.368Z

Reserved: 2026-01-07T13:43:59.553Z

Link: CVE-2026-22462

cve-icon Vulnrichment

Updated: 2026-01-27T20:37:25.665Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:35.030

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses