The Global Translator WordPress plugin up to version 2.0.2 contains a Cross‑Site Request Forgery flaw (CWE‑352). An unauthenticated attacker can induce a logged‑in administrator to submit actions to the site that the plugin processes, potentially changing translations, settings, or other data. The impact is a compromise of data integrity rather than privilege escalation, as the flaw merely allows accidental or malicious modification of plugin‑managed content if the victim is authenticated.

WordPress installations running the pozzad Global Translator plugin: all releases from the initial version through 2.0.2 are affected. No specific WordPress core version is mentioned, so any site with the plugin up to this release is at risk.

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation typically follows a classic CSRF path: an attacker hosts a malicious site or loads a crafted link that automatically submits a request to the target site while an admin user is authenticated, causing the plugin to perform the requested action. No additional privileges are required beyond the victim’s authenticated session.