Impact
Unauthenticated SQL Injection is present in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin versions 2.32.6 and earlier. The flaw allows attackers to inject arbitrary SQL statements through unsanitized input fields. This can lead to data exposure, modification, or deletion within the WordPress database. The vulnerability is classified as CWE‑89, indicating improper handling of untrusted input that influences database queries.
Affected Systems
The vulnerability affects websites running the GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin on WordPress, specifically versions 2.32.6 and earlier. Any site that has this plugin installed and has not upgraded is at risk.
Risk and Exploitability
The CVSS score of 9.3 indicates a high‑severity flaw, and the EPSS score of less than 1% suggests a low but nonzero likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog, so there are no known widespread attacks at this time. Based on the description, the likely attack path would involve an unauthenticated user supplying crafted input to a vulnerable form or endpoint, enabling the injection of malicious SQL commands.
OpenCVE Enrichment