CVE-2025-58236

The Force Update Translations plugin for WordPress (versions 0.5 and earlier) contains a Cross-Site Request Forgery (CSRF) vulnerability. The plugin fails to implement proper CSRF tokens or validation on certain administrative actions, allowing an attacker to craft malicious requests that are executed under the authentication of a privileged user [1].

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form while authenticated to the WordPress admin panel. The attack can be initiated remotely without any special privileges, but the victim must perform the action [1].

If successfully exploited, an attacker can force the victim to perform unintended actions within the plugin, such as triggering translation updates without the user's consent. This could lead to unauthorized changes in the site's translation files or other plugin-specific operations [1].

The vulnerability has been addressed in version 0.6.0 of the plugin. Users are strongly advised to update to this version or later. Patchstack users can enable auto-updates for vulnerable plugins to mitigate the risk [1].