GPTranslate WordPress Plugin — Unauthenticated SQL Injection via AI Translation Endpoint (CVSS 9.3)

GPTranslate, a WordPress plugin that uses GPT/OpenAI APIs to automatically translate website content, contains an unauthenticated SQL injection vulnerability in versions up to and including 2.32.6. The flaw was published to NVD on June 15, 2026 with a CVSS score of 9.3 CRITICAL and disclosed via Patchstack. The plugin's AI translation REST endpoint fails to sanitize user-supplied parameters before incorporating them into database queries.

Beyond standard database compromise, exploitation of this flaw grants access to the site's OpenAI/GPT API key stored in the WordPress database, enabling API key theft for unauthorized LLM usage billed to the victim, as well as exfiltration of all translated content and user data. The unauthenticated nature of the attack (no login required) makes mass automated exploitation trivial.

An unauthenticated remote attacker sends a crafted HTTP request to the plugin's translation endpoint with malicious SQL in an unsanitized parameter, allowing arbitrary database read/write operations including extraction of WordPress user credentials and API keys stored in wp_options (including the GPT/OpenAI API key used for AI translation).

GPTranslate – Multilingual AI Translation for WordPress ≤ 2.32.6

Update GPTranslate to version 2.32.7 or later. Advisory: https://patchstack.com/database/wordpress/plugin/gptranslate/vulnerability/wordpress-gptranslate-multilingual-ai-translation-for-wordpress-automatically-translate-websites-plugin-2-32-6-sql-injection-vulnerability