CVE-2025-49064: 
WordPress vulnerability analysis and mitigation

CVE-2025-49064 is a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the WordPress User Language Switch plugin affecting versions up to 1.6.10. The vulnerability was reported by Nguyen Xuan Chien on July 23, 2025, and was publicly disclosed on August 7, 2025 (Patchstack).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue due to improper neutralization of input during web page generation (CWE-79). It has received a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability can be exploited without authentication, making it particularly concerning (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

Currently, there is no official fix available for this vulnerability. The software is considered abandoned as it hasn't been updated for over a year. Users are advised to either remove and replace the plugin or implement virtual patching through security services. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).