Platform
wordpress
Component
add-polylang-support-for-customizer
Fixed in
1.4.6
CVE-2026-22462 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Add Polylang support for Customizer WordPress plugin. This vulnerability allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability impacts versions from 0.0 up to and including 1.4.5, and a patch is available.
A successful CSRF attack could allow an attacker to modify plugin settings, create or delete language configurations, or perform other actions as the logged-in user. The impact is amplified if the targeted user has administrative privileges, potentially granting the attacker control over the entire WordPress site. This vulnerability is similar to other CSRF flaws where user interaction is required, but the potential for unauthorized modifications makes it a significant security risk. The blast radius extends to any user with access to the plugin’s functionality.
CVE-2026-22462 was publicly disclosed on 2026-01-22. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. Monitor security advisories and WordPress vulnerability databases for updates.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the Add Polylang support for Customizer plugin to a version that addresses this vulnerability. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests. Specifically, look for requests with unexpected origins or referrers. Additionally, ensure users are educated about the risks of clicking on untrusted links. After upgrading, confirm the fix by attempting to trigger a CSRF attack and verifying that the action is blocked or requires authentication.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22462 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Add Polylang support for Customizer WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Add Polylang support for Customizer versions 0.0 through 1.4.5. Upgrade to a patched version to resolve the vulnerability.
Upgrade the Add Polylang support for Customizer plugin to the latest available version. Consider implementing WAF rules as a temporary mitigation if upgrading is not immediately possible.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch proactively.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.