Description
The Smartcat Translator for WPML plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'routeData' REST endpoint in all versions up to, and including, 3.1.77. This makes it possible for unauthenticated attackers to overwrite the plugin's Smartcat API credentials (account ID, API secret key, hub key, API host, and hub host), effectively hijacking the translation service or causing a denial of service.
Published: 2026-05-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Smartcat Translator for WPML plugin allows unauthenticated attackers to call the 'routeData' REST endpoint without any capability check. Due to this missing authorization control (CWE-862), an attacker can overwrite the plugin’s Smartcat API credentials—account ID, API secret key, hub key, API host, and hub host. This permits the attacker to hijack the translation service or disrupt it by configuring invalid credentials, effectively disabling translation functionality or redirecting traffic to an attacker-controlled endpoint.

Affected Systems

WordPress sites that have the Smartcat Translator for WPML plugin installed version 3.1.77 or earlier. The vulnerable product is Smartcatai's Smartcat Translator for WPML.

Risk and Exploitability

The CVSS score of 6.5 reflects moderate severity. Because the endpoint is exposed over standard REST routes, the exploit requires only an unauthenticated HTTP request, which can be performed by any user, even without a WordPress account. The lack of EPSS data and absence from the KEV catalog indicates that while exploitation is technically straightforward, no active or widespread attacks are currently documented. Nevertheless, the ability to change API credentials is a serious privilege‑escalation risk and should be addressed promptly.

Generated by OpenCVE AI on May 15, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Smartcat Translator for WPML to version 3.1.78 or later
  • If an update cannot be applied immediately, remove or disable the 'routeData' REST endpoint (e.g., by editing the plugin files or adding a custom rewrite rule to block access)
  • After remediation, review any exposed Smartcat API keys and rotate them if they were previously accessible to potential attackers

Generated by OpenCVE AI on May 15, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Smartcatai
Smartcatai smartcat Translator For Wpml Plugin
Wordpress
Wordpress wordpress
Vendors & Products Smartcatai
Smartcatai smartcat Translator For Wpml Plugin
Wordpress
Wordpress wordpress

Fri, 15 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Smartcat Translator for WPML plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'routeData' REST endpoint in all versions up to, and including, 3.1.77. This makes it possible for unauthenticated attackers to overwrite the plugin's Smartcat API credentials (account ID, API secret key, hub key, API host, and hub host), effectively hijacking the translation service or causing a denial of service.
Title Smartcat Translator for WPML <= 3.1.77 - Missing Authorization to Unauthenticated Plugin Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Smartcatai Smartcat Translator For Wpml Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-15T13:27:04.604Z

Reserved: 2026-03-23T23:05:36.509Z

Link: CVE-2026-4683

cve-icon Vulnrichment

Updated: 2026-05-15T13:26:59.968Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T09:16:16.487

Modified: 2026-05-15T14:09:15.910

Link: CVE-2026-4683

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:15:25Z

Weaknesses