Translate WordPress and go Multilingual – Weglot < 5.2 – Missing Authorization to Unauthenticated Limited Transient Deletion | CVE 2025-10008 | Plugin Vulnerabilities

Description

The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options.

Affects Plugins

Fixed in 5.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/bb2a8a6f-fe97-4588-a084-64f502a40c51

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Ngoc Quang Bach (maysbachs)

Verified

No

WPVDB ID

d1ff8743-04ac-4238-9c1e-8fd6de9f0856

Timeline

Publicly Published

2025-10-29 (about 6 months ago)

Added

2025-10-29 (about 6 months ago)

Last Updated

2025-10-30 (about 6 months ago)

Other

Published

Title

Published

2024-12-14

Title

Contact Form, Survey & Form Builder – MightyForms < 1.3.10 - Missing Authorization

Published

2026-01-27

Title

WPLegalPages < 3.5.5 - Missing Authorization

Published

2025-10-13

Title

TheGem Demo Import (for WPBakery) < 5.10.5.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion

Published

2021-07-20

Title

WP SEO TDK <= 2.1.2 - Unauthenticated Setting Update to Stored XSS

Published

2024-09-26

Title

Joy Of Text Lite <= 2.3.1 - Missing Authorization