CVE-2026-22462 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin 'Add Polylang support for Customizer' developed by richardevcom, affecting versions up to 1.4.5. This plugin integrates Polylang multilingual support into the WordPress Customizer interface, enabling site administrators to manage language settings. The vulnerability arises because the plugin fails to implement adequate CSRF protections on certain actions, allowing an attacker to craft malicious web requests that, when executed by an authenticated user, cause unintended changes to the site's language customization settings. The CVSS 3.1 base score of 4.3 reflects that the attack vector is network-based, requires no privileges, but does require user interaction (e.g., clicking a malicious link). The impact is limited to integrity, as unauthorized changes can be made to the site configuration, but confidentiality and availability remain unaffected. No known public exploits exist, and no patches are currently linked, indicating a need for vendor response. The vulnerability is particularly relevant for WordPress sites leveraging Polylang for multilingual content, as attackers could manipulate language settings or related customizer options, potentially disrupting user experience or site presentation.

For European organizations, especially those operating multilingual WordPress websites using the 'Add Polylang support for Customizer' plugin, this vulnerability could lead to unauthorized modifications of site language settings or customization options. While it does not directly expose sensitive data or cause downtime, integrity loss can degrade user experience, confuse site visitors, and potentially harm brand reputation. Attackers could exploit this to subtly alter site content presentation or language configurations, which may be leveraged in social engineering or phishing campaigns targeting European users. Organizations in sectors such as e-commerce, government, education, and media that rely heavily on multilingual WordPress sites are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate risk, especially as attackers often weaponize such vulnerabilities once publicly disclosed.

Organizations should monitor the vendor's updates and apply patches promptly once available. In the interim, administrators can implement additional CSRF protections by using security plugins that enforce nonce verification or by customizing the plugin code to include nonce checks on all state-changing requests. Restricting access to the WordPress Customizer and plugin management to trusted, authenticated users reduces exposure. Employing web application firewalls (WAF) with rules to detect and block suspicious CSRF attempts can provide an additional layer of defense. Regularly auditing user roles and permissions to minimize the number of users with customization privileges is recommended. Educating users to avoid clicking suspicious links and maintaining up-to-date backups will aid in recovery if exploitation occurs.