Vulnerabilities and security researches forgtranslate gtranslate

Feb 04, 2026

PSC, Research URL: PSC-2026-64605
Home page URL: Security reports for Translate WordPress with GTranslate
Application: Translate WordPress with GTranslate
Date: Feb 04, 2026
Research Description: Translate WordPress with GTranslate (v3.0.9) is a multilingual WordPress solution that uses Google Translate automatic translation to make a site available in 103 languages, dramatically expanding reach to more than 99% of internet users. Since GTranslate has been providing website translation services since 2008, the plugin is built around a mature translation platform and a cloud-based approach that aims to keep the WordPress site fast—translations are delivered without heavy on-site processing. In paid editions, GTranslate adds full multilingual SEO capabilities (subdomains/subdirectories, indexable translations, translated metadata, hreflang, and more), helping websites grow international traffic and sales. Because translation plugins operate on nearly every frontend pageview, output user-visible content dynamically, and may modify SEO metadata and URL structures, security must be treated as a primary requirement. That’s why it’s important that GTranslate v3.0.9 has passed CleanTalk Plugin Security Certification (PSC-2026-64605), confirming the plugin was reviewed and validated against critical vulnerability classes and secure-coding expectations.
Affected versions: Min 3.0.9, max 3.0.9.
Status: SAFE & CERTIFIED

Jun 07, 2024

CVE, Research URL: CVE-2021-34630
Home page URL: Security reports for Translate WordPress with GTranslate
Application: Translate WordPress with GTranslate
Date: Jul 31, 2021
Research Description: In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI']. Although this uses addslashes, and most modern browsers automatically URLencode requests, this plugin is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below, or in cases where an attacker is able to modify the request en route between the client and the server, or in cases where the user is using an atypical browsing solution.
Affected versions: max 2.8.65.
Status: vulnerable

CVE, Research URL: CVE-2021-25103
Home page URL: Security reports for Translate WordPress with GTranslate
Application: Translate WordPress with GTranslate
Date: Feb 07, 2022
Research Description: The Translate WordPress with GTranslate WordPress plugin before 2.9.7 does not sanitise and escape the body parameter in the url_addon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires knowledge of the NONCE_SALT and NONCE_KEY
Affected versions: max 2.9.7.
Status: vulnerable

CVE, Research URL: CVE-2020-11930
Home page URL: Security reports for Translate WordPress with GTranslate
Application: Translate WordPress with GTranslate
Date: Apr 20, 2020
Research Description: The GTranslate plugin before 2.8.52 for WordPress has Reflected XSS via a crafted link. This requires use of the hreflang tags feature within a sub-domain or sub-directory paid option.
Affected versions: max 2.8.52.
Status: vulnerable

CVE, Research URL: CVE-2022-0770
Home page URL: Security reports for Translate WordPress with GTranslate
Application: Translate WordPress with GTranslate
Date: Mar 28, 2022
Research Description: The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. Combining those two issues, an attacker could gain access to a logged in admin cookies by making them open a malicious link or page
Affected versions: max 2.8.11.
Status: vulnerable

CVE, Research URL: CVE-2023-4502
Home page URL: Security reports for Translate WordPress with GTranslate
Application: Translate WordPress with GTranslate
Date: Sep 25, 2023
Research Description: The Translate WordPress with GTranslate WordPress plugin before 3.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). This vulnerability affects multiple parameters.
Affected versions: max 3.0.4.
Status: vulnerable