Gptranslate Multilingual Ai Translation For Wordpress
Monthly
Unauthenticated SQL injection in the GPTranslate - Multilingual AI Translation for WordPress plugin (versions 2.32.6 and earlier) by jExtensions Store allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact and low availability impact, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin attack surface make this a high-priority patch.
Stored cross-site scripting in the GPTranslate - Multilingual AI Translation WordPress plugin (versions ≤ 2.31) allows unauthenticated attackers to inject arbitrary JavaScript into translated pages via the /wp-json/gptranslate/v1/request REST endpoint. Because the API key is deterministically derived as sha256(site_url) and exposed in every page's HTML as the gptApiKey JavaScript variable, any visitor can recover it and submit malicious translation payloads that execute in the browsers of subsequent visitors. No public exploit identified at time of analysis, but the exposed key makes exploitation trivial once the technique is known.
Unauthenticated SQL injection in the GPTranslate - Multilingual AI Translation for WordPress plugin (versions 2.32.6 and earlier) by jExtensions Store allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact and low availability impact, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin attack surface make this a high-priority patch.
Stored cross-site scripting in the GPTranslate - Multilingual AI Translation WordPress plugin (versions ≤ 2.31) allows unauthenticated attackers to inject arbitrary JavaScript into translated pages via the /wp-json/gptranslate/v1/request REST endpoint. Because the API key is deterministically derived as sha256(site_url) and exposed in every page's HTML as the gptApiKey JavaScript variable, any visitor can recover it and submit malicious translation payloads that execute in the browsers of subsequent visitors. No public exploit identified at time of analysis, but the exposed key makes exploitation trivial once the technique is known.