Plataforma
wordpress
Componente
add-polylang-support-for-customizer
Corregido en
1.4.6
CVE-2026-22462 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Add Polylang support for Customizer WordPress plugin. This vulnerability allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability impacts versions from 0.0 up to and including 1.4.5, and a patch is available.
A successful CSRF attack could allow an attacker to modify plugin settings, create or delete language configurations, or perform other actions as the logged-in user. The impact is amplified if the targeted user has administrative privileges, potentially granting the attacker control over the entire WordPress site. This vulnerability is similar to other CSRF flaws where user interaction is required, but the potential for unauthorized modifications makes it a significant security risk. The blast radius extends to any user with access to the plugin’s functionality.
CVE-2026-22462 was publicly disclosed on 2026-01-22. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. Monitor security advisories and WordPress vulnerability databases for updates.
WordPress sites utilizing the Add Polylang support for Customizer plugin, particularly those with users who have administrative privileges or frequently interact with the plugin's settings, are at risk. Shared hosting environments where multiple users share the same WordPress installation are also more vulnerable.
• wordpress / composer / npm:
grep -r 'add_polylang_support_for_customizer' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=inactive | grep add_polylang_support_for_customizer• wordpress / composer / npm:
wp plugin update --alldisclosure
Estado del Exploit
EPSS
0.02% (4% percentil)
CISA SSVC
Vector CVSS
The primary mitigation is to upgrade the Add Polylang support for Customizer plugin to a version that addresses this vulnerability. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests. Specifically, look for requests with unexpected origins or referrers. Additionally, ensure users are educated about the risks of clicking on untrusted links. After upgrading, confirm the fix by attempting to trigger a CSRF attack and verifying that the action is blocked or requires authentication.
No se conoce ningún parche disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y aplique mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-22462 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Add Polylang support for Customizer WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Add Polylang support for Customizer versions 0.0 through 1.4.5. Upgrade to a patched version to resolve the vulnerability.
Upgrade the Add Polylang support for Customizer plugin to the latest available version. Consider implementing WAF rules as a temporary mitigation if upgrading is not immediately possible.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch proactively.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.