CVE-2026-0745 is a Server-Side Request Forgery (SSRF) vulnerability identified in the webilop User Language Switch plugin for WordPress, affecting all versions up to and including 1.6.10. The vulnerability stems from inadequate input validation in the 'download_language()' function, which fails to properly validate URLs before making HTTP requests. As a result, an authenticated attacker with Administrator-level access or higher can manipulate the plugin to send arbitrary HTTP requests from the web server to internal or external systems. SSRF vulnerabilities allow attackers to bypass network restrictions, potentially accessing sensitive internal services, metadata endpoints, or other protected resources. Although exploitation requires administrative privileges, the impact is significant because it can lead to unauthorized information disclosure or modification within internal networks. The vulnerability has a CVSS 3.1 base score of 7.2 (high severity), reflecting its potential impact on confidentiality and integrity, ease of exploitation given administrative access, and the scope of affected systems. No public exploits have been reported yet, and no official patches or mitigation links are currently provided. The vulnerability was reserved in early January 2026 and published in mid-February 2026 by Wordfence. The CWE classification is CWE-918, which corresponds to SSRF vulnerabilities.

The primary impact of this SSRF vulnerability is unauthorized access to internal network resources and services that are normally inaccessible from outside the web server. Attackers with administrative access can leverage this flaw to query internal APIs, cloud metadata services, or other sensitive endpoints, potentially extracting confidential data or modifying internal configurations. This can lead to data breaches, lateral movement within the network, or disruption of internal services. Since the vulnerability requires administrator-level authentication, the risk is elevated in environments where privilege escalation or insider threats exist. Organizations relying on the User Language Switch plugin expose themselves to risks of internal network reconnaissance and data exfiltration. The integrity of internal systems can also be compromised if attackers use SSRF to interact with internal management interfaces. Although availability impact is low, the confidentiality and integrity impacts are significant, especially in complex enterprise environments with segmented internal networks.

To mitigate this vulnerability, organizations should immediately restrict administrative access to trusted personnel and monitor for suspicious administrator activities. Since no official patch is currently available, consider disabling or uninstalling the User Language Switch plugin until a fixed version is released. Implement network-level controls such as egress filtering and internal firewall rules to prevent the web server from making unauthorized outbound requests to sensitive internal services. Employ web application firewalls (WAFs) with custom rules to detect and block SSRF attack patterns targeting the plugin's endpoints. Conduct thorough audits of administrator accounts and privilege assignments to reduce the risk of compromised credentials. Additionally, implement strict input validation and URL whitelisting for any plugin or custom code that performs outbound HTTP requests. Once a patch is released, apply it promptly and verify that URL validation is enforced correctly in the 'download_language()' function.