The plugin does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. Combining those two issues, an attacker could gain access to a logged in admin cookies by making them open a malicious link or page
Make a logged in admin (or any other account you want to gain access to) open https://example.com/wp-content/plugins/gtranslate/url_addon/gtranslate.php?glang=es&gurl=PoC&enable_debug Then access https://example.com/wp-content/plugins/gtranslate/url_addon/debug.txt to get the users cookies
2022-03-07 (about 3 months ago)
2022-03-07 (about 3 months ago)
2022-04-08 (about 2 months ago)