PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9109 john-dagelmore CVE debrief

The GPTranslate – Multilingual AI Translation for WordPress plugin is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage. This vulnerability affects all versions up to, and including, 2.31 due to insufficient input sanitization and output escaping. An unauthenticated attacker can inject arbitrary web scripts into pages, which will execute when a user accesses an injected page. The API key, derived from the site URL, is exposed in the HTML source of every page via the JavaScript variable gptApiKey. This allows any unauthenticated visitor to retrieve the key and submit malicious translation payloads to the /wp-json/gptranslate/v1/request endpoint.

Vendor
john-dagelmore
Product
GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-13
Original CVE updated
2026-06-13
Advisory published
2026-06-13
Advisory updated
2026-06-13

Who should care

Users of the GPTranslate – Multilingual AI Translation for WordPress plugin, particularly those with versions up to and including 2.31, should be aware of this vulnerability and take necessary actions to secure their sites.

Technical summary

The vulnerability is caused by insufficient input sanitization and output escaping in the GPTranslate plugin. This allows unauthenticated attackers to inject arbitrary web scripts, which can be executed when a user accesses an affected page. The exposure of the API key (derived from the site URL) in the HTML source of every page via the JavaScript variable gptApiKey facilitates exploitation.

Defensive priority

HIGH

Recommended defensive actions

  • Update the GPTranslate plugin to a version beyond 2.31.
  • Use a Web Application Firewall (WAF) to detect and prevent common web attacks.
  • Regularly monitor your WordPress site for suspicious activity.

Evidence notes

The CVE-2026-9109 record and details from the National Vulnerability Database (NVD) and Wordfence provide evidence for this vulnerability.

Official resources

CVE-2026-9109 was published and modified on 2026-06-13T07:16:14.853Z.