Impact
This vulnerability, present in all releases of the GPTranslate – Multilingual AI Translation for WordPress plugin up to and including 2.31, allows any unauthenticated visitor to inject arbitrary JavaScript into stored translation entries. The plugin defeats input sanitization and output escaping, so malicious payloads persist in the database and are served to every requester that views the affected page. The exploit risks both confidentiality and integrity: injected scripts run with the privileges of the site’s front‑end user, enabling credential theft, defacement, or further lateral movement. The deterministically derived API key, printed as a JavaScript variable on each page, removes the need for any elevated privileges or authentication, making the attack trivial for anyone who can view the site.
Affected Systems
All WordPress installations that have installed GPTranslate by john‑dagelmore, specifically versions 2.31 and older. The vulnerability is limited to the GPTranslate plugin and does not affect core WordPress or other plugins unless they also expose the same API endpoint. Affected sites are those running WordPress with this plugin and rendering pages that include translation content. Versions beyond 2.31 are presumed not vulnerable, but administrators should verify the current release notes for any remaining issues.
Risk and Exploitability
The CVSS score of 7.2 indicates a high severity, while the EPSS value is not available, suggesting a potential but unquantified exploitation opportunity. The vulnerability is not listed in the CISA KEV catalog, so it has not been reported as a widely exploited threat yet. Attackers can exploit it via the /wp-json/gptranslate/v1/request endpoint without authentication, leveraging the exposed API key to submit malicious translations. Once stored, the payload executes on every subsequent page load viewed by any user, providing persistent cross‑site scripting. Because no additional privileges are required, the exploit surface is wide and the likelihood of detection low, thereby presenting a significant long‑term risk to affected WordPress sites.
OpenCVE Enrichment