What happened
CVE-2026-49776 (CVSS 9.3 CRITICAL) was published by NVD on 2026-06-15. The GPTranslate WordPress plugin in versions ≤ 2.32.6 contains an unauthenticated SQL injection vulnerability. No authentication is required to exploit it, giving attackers direct access to the WordPress database including user credentials, API keys stored by the plugin (e.g. OpenAI/GPT keys), and all site content.
Why it matters
AI translation plugins commonly store LLM provider API keys (OpenAI, etc.) in the WordPress database. A successful SQL injection not only compromises the site but directly harvests those AI provider credentials, enabling attackers to abuse them for LLM API access at the site owner's expense. Critical CVSS and unauthenticated exploitation make this a high-urgency patch.
Attack vector
Unauthenticated remote attacker sends a crafted HTTP request to the vulnerable endpoint, injecting arbitrary SQL into the database query executed by the AI translation plugin, enabling full database read/write without any credentials.
Affected systems
GPTranslate – Multilingual AI Translation for WordPress ≤ 2.32.6
Mitigation
Update GPTranslate to a version > 2.32.6. See Patchstack advisory: https://patchstack.com/database/wordpress/plugin/gptranslate/vulnerability/wordpress-gptranslate-multilingual-ai-translation-for-wordpress-automatically-translate-websites-plugin-2-32-6-sql-injection-vulnerability