CVE-2026-4683 Overview
CVE-2026-4683 affects the Smartcat Translator for WPML plugin for WordPress in all versions up to and including 3.1.77. The plugin exposes a routeData REST endpoint that lacks a capability check, classified as Missing Authorization [CWE-862]. Unauthenticated attackers can invoke the endpoint over the network to overwrite the plugin's Smartcat API credentials, including the account ID, API secret key, hub key, API host, and hub host. Successful exploitation hijacks the translation service or triggers a denial of service against translation workflows that depend on the plugin.
Critical Impact
Unauthenticated remote attackers can overwrite Smartcat API credentials on affected WordPress sites, hijacking translation services or denying availability.
Affected Products
- Smartcat Translator for WPML plugin for WordPress, all versions through 3.1.77
- WordPress sites integrating Smartcat with WPML for content translation
- Smartcat API integrations relying on stored plugin credentials
Discovery Timeline
- 2026-05-15 - CVE-2026-4683 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-4683
Vulnerability Analysis
The flaw resides in the plugin's REST routing layer. The routeData endpoint dispatches requests to internal controllers without verifying that the caller holds the appropriate WordPress capability. Because the route lacks a permission_callback enforcing administrator privileges, any network client can reach handler functions that persist plugin configuration. The endpoint accepts attacker-supplied values that map directly to the plugin's stored Smartcat integration settings. Attackers replace the legitimate account ID, API secret key, hub key, API host, and hub host with values they control or with invalid data.
Root Cause
The root cause is a missing authorization check on the REST route registered in the plugin's Router service and exercised by CallbackController. The endpoint accepts write operations against credential storage without validating user capabilities, session context, or nonce material. This pattern matches CWE-862: Missing Authorization.
Attack Vector
Exploitation is performed remotely over HTTP against the WordPress REST API. The attacker sends a single unauthenticated request to the routeData endpoint with a payload that updates the credential fields. After the request, all subsequent translation operations performed by the plugin authenticate against the attacker-controlled Smartcat tenant or fail entirely. This produces translation hijacking, content tampering through the translation pipeline, or denial of service.
No verified proof-of-concept code is publicly available. See the Wordfence Vulnerability Report and the WordPress Plugin Router Source for technical context.
Detection Methods for CVE-2026-4683
Indicators of Compromise
- Unexpected POST or PUT requests to WordPress REST routes registered by the smartcat-wpml plugin, particularly any path resolved by the plugin's routeData handler.
- Modified Smartcat plugin options in wp_options containing unfamiliar account IDs, API secret keys, hub keys, API hosts, or hub hosts.
- Translation job failures, missing translations, or content appearing in a Smartcat workspace the site owner does not control.
Detection Strategies
- Inspect web server access logs for unauthenticated requests to /wp-json/ paths registered by Smartcat Translator for WPML and correlate with configuration changes.
- Hash and baseline the plugin's stored Smartcat credentials, alerting when the values change outside of administrator sessions.
- Hunt for outbound HTTP requests from the WordPress host to Smartcat API hosts that do not match the organization's configured tenant.
Monitoring Recommendations
- Enable WordPress audit logging for update_option events targeting Smartcat plugin keys.
- Forward web server and WordPress logs to a centralized analytics platform and alert on REST writes from unauthenticated sessions.
- Monitor for the version string 3.1.77 or lower of smartcat-wpml across the WordPress estate.
How to Mitigate CVE-2026-4683
Immediate Actions Required
- Update the Smartcat Translator for WPML plugin to a version later than 3.1.77 as published in WordPress Changeset #3524382.
- Rotate the Smartcat account ID, API secret key, hub key, API host, and hub host after patching to invalidate any attacker-supplied values.
- Audit current plugin settings against the legitimate Smartcat tenant configuration and restore correct values if tampering is found.
Patch Information
The vendor addressed the issue in the commit recorded as WordPress Changeset #3524382. The fix introduces a capability check on the routeData endpoint registered by the plugin's Router service. Administrators should install the fixed release from the WordPress plugin repository and confirm the active version is above 3.1.77.
Workarounds
- Restrict access to /wp-json/smartcat-wpml/ and related REST routes at the web application firewall or reverse proxy until the plugin is updated.
- Disable or remove the Smartcat Translator for WPML plugin on sites that do not actively use the integration.
- Apply IP allow-listing on the WordPress REST API for administrative routes where operationally feasible.
# Example nginx rule to block unauthenticated access to the vulnerable route
location ~ ^/wp-json/smartcat-wpml/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
