CVE-2026-49776

Vulnerability

An unauthenticated SQL injection vulnerability exists in the GPTranslate – Multilingual AI Translation for WordPress plugin versions up to 2.32.6. The flaw allows an attacker to inject arbitrary SQL queries without requiring authentication or any user interaction. [1]

Exploitation

An attacker with network access to the WordPress site can send specially crafted requests to the vulnerable plugin endpoints. No authentication is needed, making the attack remotely exploitable. The vulnerability is expected to be exploited in mass campaigns targeting thousands of websites simultaneously. [1]

Impact

Successful exploitation permits an attacker to directly interact with the underlying database, potentially extracting sensitive information such as user credentials, personal data, and site configuration. This could lead to full site compromise and data breach. [1]

Mitigation

Users must update to version 2.32.7 or later immediately. Patchstack has issued a mitigation rule to block attacks until the update is applied. Enabling auto-updates for vulnerable plugins is recommended for ongoing protection. No workaround other than the patch is available. [1]