External risk intelligence

GPTranslate SQL Injection Vulnerability Affects WordPress Translations

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-49776

An unauthenticated SQL injection vulnerability exists in a WordPress translation plugin, potentially allowing attackers to access or alter website database information. This flaw is reachable over the network, posing a risk to data integrity and confidentiality for affected sites.

5Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-49776

This vulnerability affects a WordPress plugin designed to automatically translate websites. Such plugins are deployed on public-facing web servers and are accessible by any internet user visiting the site, making the vulnerable endpoint public-facing by design.

PCI scan relevance

PCI Relevance for CVE-2026-49776

Yes

CVE-2026-49776 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability allows unauthenticated attackers to bypass security controls, which is a critical finding for PCI scans and requires remediation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This CVE describes a critical vulnerability in a WordPress plugin used for website translation. The flaw allows unauthenticated attackers to potentially access or manipulate database information through specially crafted web requests. The main concern is confirming if this plugin is in use and assessing potential exposure.

  • Flaw in website translation plugin.
  • Could impact data integrity and availability.
  • Confirm usage and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to a WordPress site using the affected plugin. This request would target the translation feature, leading to an SQL injection that could expose sensitive database information or allow for partial system control.

  • No authentication required.
  • Triggered by requests to the translation feature.
  • Risk of data exposure and system compromise.

Live Threat

Current exploitation, exposure, and threat context

SQL injection in the GPTranslate WordPress plugin could allow an unauthenticated attacker to access or modify sensitive information within the website's database when the plugin is active and reachable over the network. This could potentially impact the integrity and confidentiality of stored data.

  • Database information could be exposed.
  • Unauthenticated network access allows injection.
  • Data integrity and confidentiality at risk.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Given the unauthenticated SQL injection in a WordPress plugin, platform or infrastructure teams supporting the WordPress environment, along with application owners responsible for the plugin's functionality, should lead the response. The immediate practical step is to identify all instances of the affected plugin, determine their internet reachability and business criticality, and then assign an owner for remediation planning.

  • Plugin and web platform owners
  • Verify plugin reachability and criticality
  • Plan and execute remediation actions

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the GPTranslate plugin for WordPress?

GPTranslate is a software extension used to automate the translation of website content into multiple languages. It functions within the WordPress ecosystem to help site owners make their pages accessible to a global audience by dynamically translating text for visitors.

What does CVE-2026-49776 mean by SQL injection?

This vulnerability is classified as CWE-89, which is Improper Neutralization of Special Elements used in an SQL Command. In plain English, it means the plugin fails to properly filter input from users. An attacker can supply malicious database commands through the translation feature, tricking the website into executing them to access or manipulate data it should not be sharing.

How is this SQL injection vulnerability triggered?

The flaw is triggered when an attacker sends a specially crafted network request to the translation functionality of the plugin. Because the plugin does not require the user to be logged in to interact with these features, no prior authentication is needed to attempt the attack. Normal, legitimate website translation requests do not trigger the bug; only requests containing malicious SQL syntax target the underlying weakness.

Is my website at risk from this vulnerability?

According to Halo Surface Signal, this vulnerability is considered very likely to be reachable because the affected component is intentionally designed to be public-facing. If your WordPress site uses GPTranslate and is accessible to the internet, it is exposed to this risk. Sites that are strictly internal and not reachable by public web traffic face a reduced risk profile.

What should I do if I use GPTranslate?

Your first step is to verify whether your WordPress environment has this plugin installed. Once identified, assess its business criticality and network reachability. Coordinate with your application or infrastructure team to track the plugin's status and prioritize remediation planning to secure your database against unauthorized access.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished