Unauthenticated SQL Injection in GPTranslate Plugin for WordPress
CVE-2026-49776

9.3CRITICAL

Key Information:

Vendor: WordPress
Status: Gptranslate – Multilingual Ai Translation For WordPress: Automatically Translate Websites
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-49776?

The GPTranslate plugin for WordPress allows users to automatically translate websites but contains a vulnerability that can be exploited via unauthenticated SQL injection. If attackers exploit this vulnerability, they could manipulate the database and access sensitive information, posing a significant risk to website integrity and security. Users of versions 2.32.6 and lower should take immediate action to secure their sites and apply the necessary updates.

Affected Version(s)

GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6

References

https://patchstack.com/database/wordpress/plugin/gptransl...

vdb-entry

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

HaiND | Patchstack Bug Bounty Program

CVE-2026-49776 Data

JSON