CVE-2026-22462 MEDIUM

CVE-2026-22462: WordPress Add Polylang support for Customizer plugin <= 1.4.5 - Cross Site Request Forgery (CSRF) vulnerability

Vendor Richardevcom
Product Add Polylang support for Customizer
Weakness CWE-352 · CSRF
Published January 22, 2026
Last update April 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery.This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5.

Explanation of Vulnerability in Simple Terms

02Summary

A cross-site request forgery (CSRF) vulnerability in Add Polylang support for Customizer versions up to 1.4.5 allows an attacker to perform unwanted actions on behalf of a logged-in user. The vulnerability requires the user to visit a malicious webpage while authenticated. No confidentiality impact occurs, but site settings or content may be modified without authorization.

What an attacker can do

03Attacker Capabilities

Perform unwanted actions (modify settings or content) on behalf of a logged-in site user.

Potential impact on your site

04Site Impact

Site settings or content could be altered by an attacker without your knowledge if a logged-in user visits a malicious link.

Conditions required to exploit

05Prerequisites

Victim must be logged in and visit an attacker-controlled webpage while authenticated to the site.

Key dates

06Disclosure timeline

January 22, 2026 CVE published
April 28, 2026 Record updated