CVE-2025-10008 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Translate WordPress and go Multilingual – Weglot plugin, a popular WordPress plugin used to provide multilingual website capabilities. The issue stems from the 'clean_options' function lacking proper capability checks, which means that any unauthenticated user can invoke this function to delete certain transients—temporary cached data that stores plugin options. This deletion does not require any authentication or user interaction, making it remotely exploitable over the internet. The transient data affected typically includes cached plugin settings that help optimize performance and user experience by avoiding repeated database queries. While the vulnerability does not allow attackers to read sensitive data or execute arbitrary code, the loss of cached options can lead to degraded plugin performance, potential misconfiguration, or temporary loss of translation features until the cache is rebuilt. The vulnerability affects all versions up to and including 5.1 of the plugin. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the lack of confidentiality or availability impact but ease of exploitation and integrity impact (loss of cached data). No patches or exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is widely used in WordPress sites globally, including Europe, especially for businesses requiring multilingual content delivery.

For European organizations, the primary impact of this vulnerability is operational disruption rather than direct data breach or system compromise. Organizations relying on the Weglot plugin for multilingual content may experience temporary loss or corruption of cached plugin options, leading to slower page loads, incorrect translations, or degraded user experience. This can affect e-commerce platforms, government websites, educational institutions, and other entities that depend on accurate and performant multilingual support. While the vulnerability does not expose sensitive data, the integrity of the plugin’s cached configuration is compromised, which could indirectly affect business continuity and customer trust. Attackers could exploit this flaw to cause repeated cache clearing, potentially leading to denial of service conditions by forcing the plugin to rebuild caches continuously, increasing server load. European organizations with high traffic WordPress sites or those in sectors where multilingual content is critical (e.g., tourism, international trade, public services) are particularly vulnerable. The lack of authentication requirement increases the risk of automated exploitation attempts from anywhere on the internet.

To mitigate this vulnerability, European organizations should first verify if they are using the affected versions (up to 5.1) of the Translate WordPress and go Multilingual – Weglot plugin. Immediate steps include: 1) Restricting access to the WordPress admin and plugin endpoints via web application firewalls (WAFs) or IP whitelisting to prevent unauthenticated requests to sensitive plugin functions. 2) Implementing monitoring and alerting for unusual cache clearing or transient deletion activities in WordPress logs. 3) Temporarily disabling or removing the plugin if multilingual functionality is not critical until a patched version is released. 4) Engaging with the plugin vendor or community to obtain and apply security patches once available. 5) Employing WordPress security best practices such as limiting plugin permissions, using security plugins that enforce capability checks, and regularly auditing installed plugins for vulnerabilities. 6) Considering alternative multilingual plugins with better security track records if timely patching is not feasible. These measures will help prevent unauthorized cache clearing and maintain service reliability.