{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10008", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-04T21:45:42.043Z", "datePublished": "2025-10-30T05:28:27.857Z", "dateUpdated": "2026-04-08T17:18:25.267Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:25.267Z"}, "affected": [{"vendor": "remyb92", "product": "Translate WordPress with Weglot \u2013 Multilingual AI Translation", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Translate WordPress and go Multilingual \u2013 Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options."}], "title": "Translate WordPress and go Multilingual \u2013 Weglot <= 5.1 - Missing Authorization to Unauthenticated Limited Transient Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb2a8a6f-fe97-4588-a084-64f502a40c51?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/weglot/trunk/src/actions/front/class-clean-options.php#L33"}, {"url": "https://plugins.trac.wordpress.org/changeset/3383165/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ngoc Quang Bach"}], "timeline": [{"time": "2025-09-23T12:57:55.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-29T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-30T14:01:37.916827Z", "id": "CVE-2025-10008", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-30T14:01:45.215Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10008", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-30T14:01:37.916827Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-30T14:01:41.705Z"}}], "cna": {"title": "Translate WordPress and go Multilingual \u2013 Weglot <= 5.1 - Missing Authorization to Unauthenticated Limited Transient Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ngoc Quang Bach"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "remyb92", "product": "Translate WordPress with Weglot \u2013 Multilingual AI Translation", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-23T12:57:55.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-29T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb2a8a6f-fe97-4588-a084-64f502a40c51?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/weglot/trunk/src/actions/front/class-clean-options.php#L33"}, {"url": "https://plugins.trac.wordpress.org/changeset/3383165/"}], "descriptions": [{"lang": "en", "value": "The Translate WordPress and go Multilingual \u2013 Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:25.267Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10008", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:25.267Z", "dateReserved": "2025-09-04T21:45:42.043Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-30T05:28:27.857Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Translate WordPress and go Multilingual \u2013 Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options."}], "id": "CVE-2025-10008", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-30T06:15:42.690", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/weglot/trunk/src/actions/front/class-clean-options.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3383165/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb2a8a6f-fe97-4588-a084-64f502a40c51?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:44:00.457949+00:00", "value": {"mitigation_remediation": ["Apply the latest plugin update (\u2265\u202f5.2), which removes the capability check flaw.", "If updating is not immediately possible, disable or remove the clean_options function via a custom code snippet or by editing the plugin files to protect the transient deletion endpoint.", "Restrict HTTP access to the plugin\u2019s administrative URLs by implementing role\u2011based access control or firewall rules to prevent unauthenticated requests to the clean_options endpoint."], "summary": {"action": "Upgrade", "impact": "Unauthorized deletion of plugin options"}, "threat_synthesis": {"affected_systems": "All installations of the Translate WordPress with Weglot \u2013 Multilingual AI Translation plugin with versions up to and including 5.1 are affected. The vendor is remyb92. Specific version numbers are not listed beyond the 5.1 cutoff, so any build prior to 5.2 remains vulnerable.", "description_and_impact": "The vulnerability is a missing capability check in the plugin\u2019s clean_options function, allowing an unauthenticated user to delete transients that store cached plugin options. This flaw results in loss of data specific to the translation settings, potentially disrupting website functionality and requiring reconfiguration of the plugin. The weakness is categorized as CWE\u2011862 and presents a moderate level of risk to the confidentiality and integrity of the plugin\u2019s configuration data.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of below 1\u202f% suggests a low probability of exploitation. The flaw is not listed in the CISA KEV catalog. An attacker can trigger the deletion by accessing the clean_options endpoint without authentication, but must discover the correct URL or injection vector to do so. Once exploited, the attacker removes cached options, leading to the loss of translation configuration data and a temporary service disruption."}}}}, "created": "2025-10-30T14:37:27.653423+00:00", "updated": "2026-04-21T18:45:06.085880+00:00", "vendors": ["remyb92", "remyb92$PRODUCT$translate_wordpress_and_go_multilingual", "wordpress", "wordpress$PRODUCT$wordpress"]}