CVE-2026-0745 is a Server-Side Request Forgery (SSRF) vulnerability identified in the User Language Switch plugin for WordPress, developed by webilop. The vulnerability exists in all versions up to and including 1.6.10 due to insufficient validation of URLs in the 'download_language()' function. This function is responsible for downloading language files but does not properly sanitize or restrict the URLs it processes. As a result, an attacker with authenticated Administrator-level access can craft requests that cause the server to initiate HTTP requests to arbitrary internal or external locations. SSRF vulnerabilities are particularly dangerous because they can be used to bypass network access controls, query internal services that are not exposed externally, and potentially manipulate internal APIs or services. Although exploitation requires administrative privileges, which limits the attacker scope, the impact is significant because it can lead to information disclosure and integrity violations within the internal network. The CVSS v3.1 score of 7.2 reflects a high severity, with network attack vector, low attack complexity, no privileges required (PR:N in vector likely indicates no additional privileges beyond authentication), no user interaction, and a scope change. No public exploits or patches are currently available, increasing the urgency for organizations to implement mitigations. The vulnerability is classified under CWE-918, which covers SSRF issues. Given the widespread use of WordPress in Europe and the critical nature of administrative access exploitation, this vulnerability poses a substantial risk to affected web environments.

For European organizations, the impact of CVE-2026-0745 can be considerable, especially for those relying on WordPress sites with the User Language Switch plugin installed. An attacker with administrator credentials could leverage this SSRF flaw to access internal services that are otherwise inaccessible from the internet, such as internal APIs, databases, or cloud metadata services. This could lead to unauthorized data disclosure, including sensitive customer or corporate information, or manipulation of internal systems. Additionally, the SSRF could be a stepping stone for lateral movement within the network or for launching further attacks such as privilege escalation or data exfiltration. The vulnerability does not directly impact availability but compromises confidentiality and integrity. European organizations in sectors with strict data protection regulations (e.g., GDPR) face compliance risks if internal data is exposed. The lack of a patch and known exploits means organizations must act proactively to mitigate risk. The threat is particularly relevant for public-facing WordPress sites managed by enterprises, government agencies, and critical infrastructure providers in Europe.

To mitigate CVE-2026-0745 effectively, European organizations should: 1) Immediately audit WordPress installations to identify the presence of the User Language Switch plugin and confirm the version in use. 2) Restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 3) Implement network-level controls to restrict outbound HTTP requests from web servers, limiting the ability of SSRF attacks to reach internal services. 4) Use web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the 'download_language()' function or unusual URL parameters. 5) Monitor logs for anomalous internal requests originating from the web server that could indicate SSRF exploitation attempts. 6) If possible, temporarily disable or remove the User Language Switch plugin until a security patch is released. 7) Engage with the plugin vendor or community to track patch availability and apply updates promptly once released. 8) Conduct internal penetration testing focusing on SSRF vectors to identify and remediate similar issues proactively.