CVE-2026-0735 is a stored cross-site scripting vulnerability identified in the User Language Switch plugin for WordPress, versions up to and including 1.6.10. The root cause is insufficient sanitization and escaping of the 'tab_color_picker_language_switch' parameter during web page generation, which allows authenticated users with administrator or higher privileges to inject malicious JavaScript code into pages. This vulnerability manifests only in multi-site WordPress installations where the unfiltered_html capability is disabled, limiting the attack surface to specific configurations. When exploited, the injected scripts execute in the context of any user visiting the compromised page, potentially enabling session hijacking, privilege escalation, or other malicious activities. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 base score is 4.4, indicating medium severity, with the vector reflecting network attack vector, high attack complexity, required privileges at high level, no user interaction, and partial confidentiality and integrity impact. No public exploits have been reported yet, and no patches are linked in the provided data, suggesting that mitigation may require manual updates or vendor intervention. The vulnerability was published on February 14, 2026, and assigned by Wordfence. Given the requirement for administrator-level access, exploitation is limited but still poses a risk in environments where multiple administrators exist or where credentials may be compromised.

The primary impact of CVE-2026-0735 is the potential for stored cross-site scripting attacks that can compromise the confidentiality and integrity of user sessions and data within affected WordPress multi-site installations. Attackers with administrator privileges can inject malicious scripts that execute in the browsers of users visiting the infected pages, potentially leading to session hijacking, unauthorized actions performed on behalf of users, or distribution of malware. While availability is not directly affected, the trustworthiness and security of the affected sites can be undermined, leading to reputational damage and potential data breaches. The requirement for high privileges limits the likelihood of widespread exploitation but does not eliminate risk, especially in environments with multiple administrators or where credential compromise is possible. Organizations relying on this plugin in multi-site setups may face targeted attacks aiming to escalate control or pivot within their infrastructure.

To mitigate CVE-2026-0735, organizations should first verify if they are using the User Language Switch plugin in a multi-site WordPress environment with unfiltered_html disabled. Immediate steps include restricting administrator access to trusted personnel only and auditing existing administrator accounts for suspicious activity. Since no official patch links are provided, administrators should monitor the vendor’s announcements for updates or consider temporarily disabling the plugin until a fix is available. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious input patterns related to the 'tab_color_picker_language_switch' parameter can reduce risk. Additionally, enabling Content Security Policy (CSP) headers can help mitigate the impact of injected scripts. Regularly scanning the site for injected scripts and unusual content is recommended. Finally, educating administrators about the risks of XSS and enforcing strong authentication and credential management practices will reduce the likelihood of exploitation.