Description
The GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage in all versions up to, and including, 2.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The deterministically derived API key (sha256 of the site URL) is printed in the HTML source of every page via the JavaScript variable gptApiKey, meaning any unauthenticated visitor can retrieve the key and submit malicious translation payloads to the /wp-json/gptranslate/v1/request endpoint without any additional precondition.
Published: 2026-06-13
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability, present in all releases of the GPTranslate – Multilingual AI Translation for WordPress plugin up to and including 2.31, allows any unauthenticated visitor to inject arbitrary JavaScript into stored translation entries. The plugin defeats input sanitization and output escaping, so malicious payloads persist in the database and are served to every requester that views the affected page. The exploit risks both confidentiality and integrity: injected scripts run with the privileges of the site’s front‑end user, enabling credential theft, defacement, or further lateral movement. The deterministically derived API key, printed as a JavaScript variable on each page, removes the need for any elevated privileges or authentication, making the attack trivial for anyone who can view the site.

Affected Systems

All WordPress installations that have installed GPTranslate by john‑dagelmore, specifically versions 2.31 and older. The vulnerability is limited to the GPTranslate plugin and does not affect core WordPress or other plugins unless they also expose the same API endpoint. Affected sites are those running WordPress with this plugin and rendering pages that include translation content. Versions beyond 2.31 are presumed not vulnerable, but administrators should verify the current release notes for any remaining issues.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS value is not available, suggesting a potential but unquantified exploitation opportunity. The vulnerability is not listed in the CISA KEV catalog, so it has not been reported as a widely exploited threat yet. Attackers can exploit it via the /wp-json/gptranslate/v1/request endpoint without authentication, leveraging the exposed API key to submit malicious translations. Once stored, the payload executes on every subsequent page load viewed by any user, providing persistent cross‑site scripting. Because no additional privileges are required, the exploit surface is wide and the likelihood of detection low, thereby presenting a significant long‑term risk to affected WordPress sites.

Generated by OpenCVE AI on June 13, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPTranslate to version 2.32 or later where the stored XSS flaw is fixed.
  • If an immediate upgrade is not possible, block or restrict the /wp-json/gptranslate/v1/request endpoint so that only authenticated, authorized administrators can submit payloads, for example by adding a rule to the .htaccess file or using a security plugin to limit REST API access.
  • Manually inspect and purge any translations that may contain malicious scripts, then regenerate or delete translations to ensure no compromised data remains in the database.

Generated by OpenCVE AI on June 13, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared John-dagelmore
John-dagelmore gptranslate – Multilingual Ai Translation For Wordpress: Automatically Translate Websites
Wordpress
Wordpress wordpress
Vendors & Products John-dagelmore
John-dagelmore gptranslate – Multilingual Ai Translation For Wordpress: Automatically Translate Websites
Wordpress
Wordpress wordpress

Sat, 13 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
Description The GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage in all versions up to, and including, 2.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The deterministically derived API key (sha256 of the site URL) is printed in the HTML source of every page via the JavaScript variable gptApiKey, meaning any unauthenticated visitor can retrieve the key and submit malicious translation payloads to the /wp-json/gptranslate/v1/request endpoint without any additional precondition.
Title GPTranslate <= 2.31 - Unauthenticated Stored Cross-Site Scripting via REST API Translation Storage
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

John-dagelmore Gptranslate – Multilingual Ai Translation For Wordpress: Automatically Translate Websites
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-15T17:23:28.784Z

Reserved: 2026-05-20T17:27:45.605Z

Link: CVE-2026-9109

cve-icon Vulnrichment

Updated: 2026-06-15T17:23:23.282Z

cve-icon NVD

Status : Deferred

Published: 2026-06-13T07:16:14.853

Modified: 2026-06-15T20:42:32.707

Link: CVE-2026-9109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T12:28:54Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')