The vulnerability identified as CVE-2025-10008 affects the Translate WordPress and go Multilingual – Weglot plugin, a widely used WordPress plugin designed to facilitate website translation and multilingual content management. The issue stems from a missing authorization (capability) check in the 'clean_options' function, which is responsible for clearing certain cached plugin options stored as transients in WordPress. Because this function lacks proper permission validation, unauthenticated attackers can invoke it remotely to delete these cached options. While the vulnerability does not expose sensitive data or allow direct site takeover, it compromises the integrity of the plugin's cached configuration, potentially causing unexpected behavior or degraded performance until the cache is rebuilt. The vulnerability affects all versions up to and including 5.1 of the plugin. The CVSS v3.1 score is 5.3 (medium), reflecting the ease of exploitation (no authentication or user interaction required) but limited impact confined to integrity without affecting confidentiality or availability. No patches or fixes were linked at the time of publication, and no known exploits are reported in the wild. The vulnerability is categorized under CWE-862 (Missing Authorization), highlighting the absence of proper access control checks in the affected function.

The primary impact of this vulnerability is the unauthorized deletion of cached plugin options, which can disrupt the normal operation of the Weglot plugin. This may lead to temporary loss of translation settings or degraded multilingual functionality until the cache is rebuilt. For organizations relying heavily on Weglot for website localization, this could result in inconsistent user experiences, potential loss of trust from site visitors, and increased administrative overhead to restore normal operations. Although the vulnerability does not directly compromise sensitive data or site availability, repeated exploitation could be used as part of a broader attack strategy to cause confusion or degrade service quality. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, affecting any publicly accessible WordPress site using the vulnerable plugin versions. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate this vulnerability, organizations should: 1) Immediately update the Weglot plugin to a version that includes the necessary authorization checks once available. Monitor official vendor channels for patch releases. 2) In the absence of an official patch, implement temporary access controls such as restricting access to the plugin's administrative AJAX endpoints via web application firewall (WAF) rules or server-level restrictions to block unauthenticated requests targeting the 'clean_options' function. 3) Regularly audit WordPress user roles and permissions to ensure that only trusted administrators have elevated capabilities. 4) Monitor website logs for unusual requests or repeated attempts to invoke the vulnerable function. 5) Consider disabling or limiting the use of the affected plugin if immediate patching is not feasible, especially on high-value or sensitive sites. 6) Employ security plugins that can detect and block unauthorized access attempts to plugin functions. These steps go beyond generic advice by focusing on specific function access control and monitoring tailored to this vulnerability.