Scan free
MEDIUMCVE-2026-22462CVSS 4.3

CVE-2026-22462: CSRF in Add Polylang support for Customizer

Platform

wordpress

Component

add-polylang-support-for-customizer

Fixed in

1.4.6

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-22462 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Add Polylang support for Customizer WordPress plugin. This vulnerability allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability impacts versions from 0.0 up to and including 1.4.5, and a patch is available.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

A successful CSRF attack could allow an attacker to modify plugin settings, create or delete language configurations, or perform other actions as the logged-in user. The impact is amplified if the targeted user has administrative privileges, potentially granting the attacker control over the entire WordPress site. This vulnerability is similar to other CSRF flaws where user interaction is required, but the potential for unauthorized modifications makes it a significant security risk. The blast radius extends to any user with access to the plugin’s functionality.

Exploitation Context

CVE-2026-22462 was publicly disclosed on 2026-01-22. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. Monitor security advisories and WordPress vulnerability databases for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (4% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentadd-polylang-support-for-customizer
Vendorwordfence
Affected rangeFixed in
0 – 1.4.51.4.6

Package Information

Active installs
2KNiche
Plugin rating
4.5
Requires WordPress
4.7+
Compatible up to
6.1.10
Requires PHP
5.6+
Homepage

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 122 days since disclosure

Mitigation and Workarounds

The primary mitigation is to upgrade the Add Polylang support for Customizer plugin to a version that addresses this vulnerability. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests. Specifically, look for requests with unexpected origins or referrers. Additionally, ensure users are educated about the risks of clicking on untrusted links. After upgrading, confirm the fix by attempting to trigger a CSRF attack and verifying that the action is blocked or requires authentication.

How to fix

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-22462 — CSRF in Add Polylang support for Customizer?

CVE-2026-22462 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Add Polylang support for Customizer WordPress plugin, allowing attackers to perform unauthorized actions.

Am I affected by CVE-2026-22462 in Add Polylang support for Customizer?

You are affected if you are using Add Polylang support for Customizer versions 0.0 through 1.4.5. Upgrade to a patched version to resolve the vulnerability.

How do I fix CVE-2026-22462 in Add Polylang support for Customizer?

Upgrade the Add Polylang support for Customizer plugin to the latest available version. Consider implementing WAF rules as a temporary mitigation if upgrading is not immediately possible.

Is CVE-2026-22462 being actively exploited?

As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch proactively.

Where can I find the official Add Polylang support for Customizer advisory for CVE-2026-22462?

Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs