Critical SQL Injection Vulnerability in GPTranslate Plugin (CVE-2026-49776)

A critical unauthenticated SQL injection vulnerability (CVE-2026-49776) has been identified in the GPTranslate plugin for WordPress, affecting versions 2.32.6 and earlier. This flaw allows attackers to execute arbitrary SQL queries through user-controlled input, potentially exposing sensitive data such as usernames and password hashes. Currently, there is no evidence of public exploitation or proof-of-concept code. A patch has been released, and users are advised to update to version 2.32.7 or later immediately. If updates cannot be applied, disabling or removing the plugin is recommended. The vulnerability has been assigned a CVSS score of 9.3, indicating its critical nature. Security professionals are urged to implement Web Application Firewall (WAF) rules to mitigate potential SQL injection attempts targeting the plugin.

Key Points: • CVE-2026-49776 is a critical SQL injection vulnerability in GPTranslate plugin for WordPress. • The flaw allows unauthenticated attackers to execute arbitrary SQL queries on affected systems. • Users must update to version 2.32.7 or later to mitigate the risk of exploitation.