Description
The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options.
Published: 2025-10-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of plugin options
Action: Upgrade
AI Analysis

Impact

The vulnerability is a missing capability check in the plugin’s clean_options function, allowing an unauthenticated user to delete transients that store cached plugin options. This flaw results in loss of data specific to the translation settings, potentially disrupting website functionality and requiring reconfiguration of the plugin. The weakness is categorized as CWE‑862 and presents a moderate level of risk to the confidentiality and integrity of the plugin’s configuration data.

Affected Systems

All installations of the Translate WordPress with Weglot – Multilingual AI Translation plugin with versions up to and including 5.1 are affected. The vendor is remyb92. Specific version numbers are not listed beyond the 5.1 cutoff, so any build prior to 5.2 remains vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of below 1 % suggests a low probability of exploitation. The flaw is not listed in the CISA KEV catalog. An attacker can trigger the deletion by accessing the clean_options endpoint without authentication, but must discover the correct URL or injection vector to do so. Once exploited, the attacker removes cached options, leading to the loss of translation configuration data and a temporary service disruption.

Generated by OpenCVE AI on April 21, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin update (≥ 5.2), which removes the capability check flaw.
  • If updating is not immediately possible, disable or remove the clean_options function via a custom code snippet or by editing the plugin files to protect the transient deletion endpoint.
  • Restrict HTTP access to the plugin’s administrative URLs by implementing role‑based access control or firewall rules to prevent unauthenticated requests to the clean_options endpoint.

Generated by OpenCVE AI on April 21, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Remyb92
Remyb92 translate Wordpress And Go Multilingual
Wordpress
Wordpress wordpress
Vendors & Products Remyb92
Remyb92 translate Wordpress And Go Multilingual
Wordpress
Wordpress wordpress

Thu, 30 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options.
Title Translate WordPress and go Multilingual – Weglot <= 5.1 - Missing Authorization to Unauthenticated Limited Transient Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Remyb92 Translate Wordpress And Go Multilingual
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:25.267Z

Reserved: 2025-09-04T21:45:42.043Z

Link: CVE-2025-10008

cve-icon Vulnrichment

Updated: 2025-10-30T14:01:41.705Z

cve-icon NVD

Status : Deferred

Published: 2025-10-30T06:15:42.690

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:45:06Z

Weaknesses