How is CVE-2026-49776 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to trigger the injection. Authentication (not-required): No account or session token of any privilege level is needed; the vulnerable code path is accessible to completely unauthenticated requests. Victim interaction (not-required): Exploitation is fully automated and requires no action from any user of the WordPress site. Attack complexity (info): Attack complexity is low, meaning the SQL injection is reliable and requires no special environmental conditions, race timing, or memory layout knowledge to execute.

What is the impact of CVE-2026-49776?

Reads arbitrary rows from the WordPress database, including wp_users password hashes, email addresses, and any stored session tokens. Reads data from custom tables created by other installed plugins, which may include personal information, payment references, or API keys stored in the database. Causes limited availability disruption through heavy or malformed SQL queries that degrade database performance or cause query failures.

Back to search

CRITICALCVE-2026-49776Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49776: WordPress GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin <= 2.32.6 - SQL Injection vulnerability

Q: What is CVE-2026-49776?

An unauthenticated SQL injection vulnerability affects the GPTranslate Multilingual AI Translation plugin for WordPress in versions up to and including 2.32.6. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation gives an attacker read access to the WordPress database, including user credentials, session tokens, and any stored content, and can also cause limited service disruption. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.

Q: Is CVE-2026-49776 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack and NVD advisory feeds on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating controls such as network-policy isolation of WordPress containers and web application firewall rules targeting SQL injection patterns can be applied; customers with auto-remediation enabled will receive a rebuild, regression test run, and a PR opened against affected workloads automatically once a fix version becomes available.

Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the GPTranslate Multilingual AI Translation plugin for WordPress in versions up to and including 2.32.6. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation gives an attacker read access to the WordPress database, including user credentials, session tokens, and any stored content, and can also cause limited service disruption. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-49776 is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against container images in customer registries and CI/CD pipelines. Coverage extends to custom-built images that bundle the GPTranslate plugin, not only official WordPress images.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 9.3 Critical severity and surfacing it with per-environment compliance policy weighting applied. Routing to the appropriate team inbox within each customer organization is available based on policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack and NVD advisory feeds on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating controls such as network-policy isolation of WordPress containers and web application firewall rules targeting SQL injection patterns can be applied; customers with auto-remediation enabled will receive a rebuild, regression test run, and a PR opened against affected workloads automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to trigger the injection.
AuthenticationNot required
No account or session token of any privilege level is needed; the vulnerable code path is accessible to completely unauthenticated requests.
Victim interactionNot required
Exploitation is fully automated and requires no action from any user of the WordPress site.
Attack complexityDetail
Attack complexity is low, meaning the SQL injection is reliable and requires no special environmental conditions, race timing, or memory layout knowledge to execute.

Blast Radius

Reads arbitrary rows from the WordPress database, including wp_users password hashes, email addresses, and any stored session tokens.
Reads data from custom tables created by other installed plugins, which may include personal information, payment references, or API keys stored in the database.
Causes limited availability disruption through heavy or malformed SQL queries that degrade database performance or cause query failures.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged at Critical severity and matched against any image bundling GPTranslate plugin versions up to 2.32.6. Because no upstream fix exists as of the publication date, HarborGuard monitors the Patchstack and NVD advisory feeds on every ingest cycle and will surface a patched-image rebuild the moment a fix version is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads automatically, with no manual intervention required. While no patch is available, recommended compensating controls include applying a web application firewall rule to block SQL metacharacter sequences on WordPress HTTP endpoints, isolating WordPress containers with Kubernetes network policy to restrict inbound access to known sources, and auditing database user permissions to limit the WordPress DB user to only the tables and operations it requires. Where compliance policy permits, HarborGuard can route this finding immediately to the relevant team inbox to accelerate manual review.

See how HarborGuard automates this

Affected packages

JExtensions Store / GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites
≤ 2.32.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified