Description
The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.72 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-09-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection
Action: Apply Patch
AI Analysis

Impact

The Smartcat Translator for WPML plugin is vulnerable to time‑based SQL injection via the ‘orderby’ parameter. All releases up to and including 3.1.72 allow an authenticated user with Author or higher privileges to append arbitrary SQL to the existing query because the parameter is not properly escaped or bound. The vulnerability is a classic CWE‑89 flaw that can be used to read sensitive database information, such as user credentials, content, or configuration data, thereby compromising confidentiality. The impact is limited to a single authenticating web user who has sufficient role privileges; however, the attacker can obtain arbitrary data from the database, potentially leading to broader compromise if credentials are exposed.

Affected Systems

The flaw affects the Smartcat Translator for WPML plugin in all versions up through 3.1.72. Smartcatai is the vendor, and the product is Smartcat Translator for WPML. No specific patch version is listed in the original data, so any release after 3.1.72 is likely to contain the fix.

Risk and Exploitability

The CVSS score is 6.5, which represents a moderate risk level. The EPSS score is less than 1 %, indicating a very low probability that the flaw is actively exploited in the wild. The vulnerability is not present in the CISA KEV catalog, so it is not known to have been widely exploited yet. Attackers must first authenticate and have at least Author role; once authenticated, they can craft a URL or form request that includes a malicious ‘orderby’ value and cause the application to execute a malicious SQL statement, extracting data from the database. The absence of an error message or other indicator in the plugin means that exploitation is stealthy unless the attacker captures the response.

Generated by OpenCVE AI on April 20, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Smartcat Translator for WPML plugin to the latest version (3.1.73 or newer) that removes the vulnerable ‘orderby’ handling.
  • Until an update can be applied, restrict Author or higher role users from accessing the plugin’s language settings or disable the WPML functionality for those roles to prevent exploitation.
  • Apply a temporary workaround by sanitizing or validating the ‘orderby’ parameter on the server side to allow only a whitelist of expected values before passing it to the database, ensuring it is not concatenated into the SQL query.
  • Continuously monitor database logs and account activity for unusual query patterns or unauthorized data access following an update.

Generated by OpenCVE AI on April 20, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27646 The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.69 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.69 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.72 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Smartcat Translator for WPML <= 3.1.69 - Authenticated (Author+) SQL Injection via orderby Parameter Smartcat Translator for WPML <= 3.1.72 - Authenticated (Author+) SQL Injection via orderby Parameter
References

Fri, 12 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Smartcatai
Smartcatai smartcat Translator For Wpml Plugin
Wordpress
Wordpress wordpress
Vendors & Products Smartcatai
Smartcatai smartcat Translator For Wpml Plugin
Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.69 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Smartcat Translator for WPML <= 3.1.69 - Authenticated (Author+) SQL Injection via orderby Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Smartcatai Smartcat Translator For Wpml Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:59.922Z

Reserved: 2025-08-25T14:10:58.778Z

Link: CVE-2025-9451

cve-icon Vulnrichment

Updated: 2025-09-11T13:44:16.665Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:36.743

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9451

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:45:15Z

Weaknesses