CVE-2025-10008 identifies a missing authorization vulnerability (CWE-862) in the Translate WordPress and go Multilingual – Weglot plugin, a widely used WordPress plugin for website translation. The vulnerability exists in the 'clean_options' function, which lacks proper capability checks before allowing deletion of cached plugin options stored as transients. This flaw permits unauthenticated attackers to remotely invoke this function and delete limited transient data without any authentication or user interaction. The transient data typically caches plugin options to optimize performance; its deletion can cause temporary loss of cached settings, forcing the plugin to regenerate or reload options, potentially disrupting translation services or causing inconsistent behavior. The vulnerability affects all versions up to and including 5.1. The CVSS v3.1 base score is 5.3 (medium), reflecting network attack vector, no privileges required, no user interaction, and limited impact on integrity without affecting confidentiality or availability. No patches or exploits are currently reported, but the vulnerability's presence in a popular plugin increases the risk of future exploitation. The issue highlights the importance of enforcing authorization checks on sensitive plugin functions that modify or delete configuration data.

For European organizations, the primary impact is on the integrity of multilingual website content management. Deletion of cached plugin options can lead to inconsistent translation behavior, degraded user experience, and potential administrative overhead to restore normal operation. While it does not directly compromise sensitive data or availability, the disruption of translation services can affect customer engagement, especially for e-commerce, government, or public service websites relying on multilingual support. Organizations with high traffic or regulatory requirements for accessibility and localization may face reputational damage or compliance challenges if translation services are impaired. Additionally, repeated exploitation could be used as a vector for denial of service by forcing constant cache regeneration. Since the vulnerability requires no authentication and can be triggered remotely, the attack surface is broad, increasing risk for websites exposed to the internet. European entities using the Weglot plugin should prioritize assessment and remediation to maintain service integrity.

1. Monitor official Weglot plugin channels for security updates and apply patches promptly once released to fix the missing authorization check. 2. Until patches are available, restrict access to WordPress administrative endpoints and plugin functions via web application firewalls (WAF) or IP whitelisting to limit exposure. 3. Implement strict WordPress user role management to minimize unnecessary permissions and audit plugin usage regularly. 4. Enable detailed logging and monitoring of transient deletions or unusual plugin behavior to detect potential exploitation attempts early. 5. Consider temporarily disabling or replacing the Weglot plugin with alternative translation solutions if risk tolerance is low and patching is delayed. 6. Conduct security awareness training for site administrators to recognize and respond to anomalies in plugin performance or site translations. 7. Review and harden WordPress security configurations, including limiting REST API access and disabling unused endpoints that could be leveraged in attacks.