CVE-2022-3691 is a high-severity vulnerability affecting the DeepL Pro API translation plugin for WordPress, specifically versions prior to 1.7.5. The vulnerability is classified under CWE-552, which pertains to files or directories accessible to external parties that should not be publicly available. In this case, sensitive information including the DeepL API key is exposed through files that are publicly accessible without any authentication. This means that any unauthenticated external visitor can access these files and retrieve the API key. The API key is a critical credential that allows access to the DeepL Pro translation service, potentially enabling unauthorized use of the service, leading to financial loss or abuse of the API. The CVSS v3.1 score is 7.5, indicating a high severity due to the vulnerability being remotely exploitable over the network (AV:N), requiring no privileges (PR:N) or user interaction (UI:N), and impacting confidentiality (C:H) but not integrity or availability. The scope is unchanged (S:U), meaning the vulnerability affects the same security scope. Although no known exploits are reported in the wild, the ease of access to sensitive credentials makes this a significant risk. The plugin is used within WordPress environments, which are widely deployed across many organizations globally, including in Europe. The exposure of API keys can lead to unauthorized API calls, potential data leakage, and increased operational costs due to misuse. Since the vulnerability is due to improper file access controls, it reflects a misconfiguration or coding error in the plugin that fails to restrict access to sensitive files containing credentials.

For European organizations using the DeepL Pro API translation plugin on their WordPress sites, this vulnerability poses a substantial risk. The exposure of API keys can lead to unauthorized usage of the DeepL translation service, resulting in unexpected charges and potential service disruption. Additionally, if attackers gain access to the API key, they might use it to infer or access other linked services or data, depending on how the API key is integrated within the organization's infrastructure. Confidentiality is directly impacted, as sensitive credentials are exposed publicly. This could also undermine trust in the organization's website security posture, especially for companies relying on multilingual content delivery. Given the widespread use of WordPress in Europe and the popularity of DeepL as a translation service (DeepL being a European company based in Germany), organizations in Europe are likely to use this plugin, increasing the potential impact. The vulnerability could also be exploited by competitors or malicious actors to disrupt business operations or to conduct further attacks leveraging the compromised API key.

Organizations should immediately update the DeepL Pro API translation plugin to version 1.7.5 or later, where this vulnerability has been addressed. If updating is not immediately possible, administrators should manually verify and restrict access permissions to any files that may contain sensitive API keys, ensuring they are not publicly accessible via the web server. Implementing web server rules (e.g., .htaccess for Apache or equivalent for Nginx) to deny external access to configuration or credential files is critical. Additionally, organizations should rotate the exposed DeepL API keys to invalidate any potentially compromised credentials. Monitoring API usage for unusual activity can help detect unauthorized use early. As a longer-term measure, organizations should adopt the principle of least privilege for API keys, using keys with limited scopes and expiration where supported. Finally, conducting regular security audits of WordPress plugins and their configurations can help prevent similar issues.