What happened
CVE-2026-9109 was published by NVD on June 13, 2026 (CVSS 7.2 HIGH). The GPTranslate – Multilingual AI Translation for WordPress plugin in all versions up to and including 2.31 contains a Stored Cross-Site Scripting vulnerability in its REST API Translation Storage functionality. Insufficient input sanitization and output escaping allows attackers with contributor-level access or higher to inject persistent malicious scripts into pages. The first fix reference points to tag 2.27.5.
Why it matters
GPTranslate uses AI (LLM-based translation) as its core feature, meaning the XSS payload can be embedded within AI-translated content returned via the REST API and stored on the site. On WordPress sites where the AI translation output is trusted and rendered unsanitized, an attacker could inject scripts that steal session cookies (including admin tokens), redirect users, or exfiltrate AI-translated content — affecting any site using this plugin to power multilingual AI-driven content.
Attack vector
Authenticated attacker (contributor+) injects malicious scripts via the REST API translation storage endpoint; stored payload executes in victims' browsers when AI-translated pages are viewed
Affected systems
GPTranslate – Multilingual AI Translation for WordPress plugin, all versions ≤ 2.31
Mitigation
Update GPTranslate plugin to version 2.27.5 or later. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9109