The Global Translator plugin contains a stored cross‑site scripting flaw caused by improper neutralization of user input when generating web pages. An attacker who can inject content that is persisted by the plugin can host malicious JavaScript that executes in the browsers of any visitor who requests the affected page. This can lead to session hijacking, defacement, or the distribution of malware, thereby compromising confidentiality and integrity for site users. The weakness is identified as CWE‑79. No direct remote code execution or privilege escalation occurs without the victim’s interaction with the rendered content.

The vulnerability applies to the Global Translator WordPress plugin, developed by pozzad, in all releases up to and including version 2.0.2. Sites running any of those versions are vulnerable.

The base CVSS score of 5.9 indicates medium severity, and the EPSS score of <1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker is able to submit or otherwise embed malicious data into the plugin’s storage—typically through content creation or administration interfaces—and that such data is rendered to visitors without proper sanitization. Users with content‑creation privileges or administrative control over the plugin represent the primary attack surface; the flaw is not remotely exploitable without that user input.