Skip to main content

GPTranslate WordPress Plugin CVE-2026-49776

| EUVD-2026-36896 CRITICAL
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-2f68-qpff-692q
WordPress SQLi Gptranslate Multilingual Ai Translation For Wordpress
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.9 CRITICAL

Unauthenticated network-reachable SQLi (AV:N/AC:L/PR:N/UI:N); scope change since SQLi reaches the WordPress DB beyond plugin authority; raised I to L since SQLi can typically modify rows.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 21:28 vuln.today
CVE Published
Jun 15, 2026 - 20:19 cve.org
CRITICAL 9.3

DescriptionCVE.org

Unauthenticated SQL Injection in GPTranslate - Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions.

Articles & Coverage 1

News Critical SQL Injection in WordPress GPTranslate Plugin - CVE-2026-49776 Jun 16, 2026

AnalysisAI

Unauthenticated SQL injection in the GPTranslate - Multilingual AI Translation for WordPress plugin (versions 2.32.6 and earlier) by jExtensions Store allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact and low availability impact, indicating data exposure beyond the plugin's own context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress sites running GPTranslate ≤ 2.32.6
Delivery
Send crafted HTTP request to vulnerable plugin endpoint
Exploit
Inject SQL payload into unsanitized parameter
Execution
Extract wp_users hashes and wp_options secrets
Persist
Crack credentials or forge sessions
Impact
Escalate to admin and persist via backdoored plugin/theme
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of any WordPress site with the GPTranslate plugin versions 2.32.6 or earlier installed and activated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) is severe: network-reachable, no privileges, no user interaction, with a scope change suggesting the SQL injection can read data beyond the plugin's authorization boundary (e.g., the entire WordPress database including hashed credentials). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP request to a vulnerable GPTranslate endpoint (likely an AJAX or REST handler that accepts language/translation parameters) with a SQL injection payload in a query string or POST parameter. The injected SQL executes against the WordPress database, allowing extraction of wp_users password hashes, session tokens, secret keys from wp_options, or other tenant data; the scope change (S:C) suggests data outside the plugin's authorization context is reachable. …
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/gptranslate/vulnerability/wordpress-gptranslate-multilingual-ai-translation-for-wordpress-automatically-translate-websites-plugin-2-32-6-sql-injection-vulnerability) and the WordPress plugin repository for the exact fix release above 2.32.6 and upgrade immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances running GPTranslate and document installed versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-9109 HIGH
7.2 Jun 13

Stored cross-site scripting in the GPTranslate - Multilingual AI Translation WordPress plugin (versions ≤ 2.31) allows u

Share

CVE-2026-49776 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy