A high-severity vulnerability has been identified in the My WP Translate plugin for WordPress, affecting all versions up to and including 1.0. The flaw allows any authenticated user, regardless of their permission level, to modify site data, which can be exploited to gain administrative control over the website. This could lead to a full site compromise, data theft, or website defacement.

The vulnerability exists due to a missing capability check on the ajax_import_strings() function within the plugin. This function, which is accessible via WordPress's AJAX API, fails to verify if the user making the request has the appropriate permissions to perform the action. Consequently, any authenticated user, including a low-privileged subscriber, can craft a malicious request to this function to import or modify translation strings, potentially injecting malicious code or altering site options to escalate their privileges to an administrator level.

This vulnerability is rated as high severity with a CVSS score of 8.8. Successful exploitation could lead to a complete compromise of the affected WordPress site. The business impact includes the potential for sensitive data theft (customer information, intellectual property), reputational damage from website defacement, financial loss due to site downtime or cleanup costs, and the risk of the compromised website being used to distribute malware or participate in further attacks. A full site takeover by an unauthorized actor represents a critical risk to business operations and data integrity.

Immediate Action: Immediately update the "My WP Translate" plugin to the latest available version that patches this vulnerability. If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it from the WordPress installation to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to /wp-admin/admin-ajax.php that contain the action ajax_import_strings. Implement file integrity monitoring to detect unauthorized changes to plugin files or core WordPress files. Regularly audit WordPress user accounts for unauthorized new accounts or unexpected privilege escalations.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to block requests targeting the vulnerable ajax_import_strings function. Enforce the principle of least privilege for all user accounts and disable user registration if it is not required for the site's functionality.

Public Exploit Available: false

Given the high-severity rating (CVSS 8.8) and the critical impact of a successful exploit (privilege escalation), immediate remediation is strongly recommended. Organizations must prioritize applying the vendor-supplied patch by updating the "My WP Translate" plugin without delay. If the plugin is not business-critical, it should be removed entirely. Although this CVE is not currently listed on the CISA KEV list, its high potential for exploitation makes it a significant threat that requires urgent attention.