GPTranslate <= 2.31 - Unauthenticated Stored Cross-Site Scripting via REST API Translation Storage
CVE-2026-9109

7.2HIGH

Key Information:

Vendor: WordPress
Status: Gptranslate – Multilingual Ai Translation For WordPress: Automatically Translate Websites
Vendor: CVE Published:; 13 June 2026

What is CVE-2026-9109?

The GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage in all versions up to, and including, 2.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The deterministically derived API key (sha256 of the site URL) is printed in the HTML source of every page via the JavaScript variable gptApiKey, meaning any unauthenticated visitor can retrieve the key and submit malicious translation payloads to the /wp-json/gptranslate/v1/request endpoint without any additional precondition.

Affected Version(s)

GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites 0 <= 2.31

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/gptranslate/ta...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 13, 2026
Vulnerability Reserved
May 20, 2026

Credit

Hardeep

Chris

CVE-2026-9109 Data

JSON