Plugin Name: Google Language Translator
- Software Type: Plugin
- Software Slug: google-language-translator
- Software Status: Active
- Software Author: edo888
- Software Downloads: 3,145,040
- Active Installs: 100,000
- Last Updated: December 8, 2023
- Patched Versions: 6.0.20
- Affected Versions: < 6.0.20
- Name: Google Language Translator <= 6.0.20 - Missing Authorization to Notice Dismissal
- Type: Missing Authorization
- CVSS Score: 5.3 (Medium)
- Publicly Published: December 8, 2023
- Description: The Translate WordPress – Google Language Translator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_notice_ignore() function in all versions up to 6.0.20 (exclusive). This makes it possible for unauthenticated attackers to dismiss admin notices.
The Google Language Translator plugin for WordPress has a vulnerability in versions up to and including 6.0.19 that allows unauthenticated attackers to dismiss admin notices due to a missing capability check. This vulnerability has been patched in version 6.0.20.
Researchers discovered that the admin_notice_ignore() function in the Google Language Translator plugin does not check user capabilities before allowing admin notices to be dismissed. This means any unauthenticated user could send a request to dismiss plugin notices intended for administrators. While this does not directly lead to site compromise, it takes away an administrator's control and visibility over their own plugin's notices. The patched version 6.0.20 implements a capability check to prevent unauthorized users from manipulating admin notices.
Advice for Users:
- Immediate Action: Update to version 6.0.20 or later to implement the fix for this vulnerability.
- Check for Signs of Vulnerability: Review your admin notices and logs for any suspicious dismissals by unauthorized users.
- Alternate Plugins: Consider using alternate translation plugins like WPML or TranslatePress as a precaution.
- Stay Updated: Always keep plugins updated to avoid vulnerabilities. There have been 6 previous vulnerabilities found in Google Language Translator since August 2015.
The quick response by the developers to patch this vulnerability shows their commitment to security. Users should install version 6.0.20 or later as soon as possible to prevent potential exploits. Staying updated on all plugins remains the best defense against vulnerabilities.
Keeping your WordPress website and its plugins up-to-date is critical for security, as outdated software often harbors vulnerabilities that put sites at risk of compromise. Unfortunately, a popular translation plugin, Google Language Translator, was recently revealed to have just such a vulnerability in outdated versions that could allow attackers to silently dismiss admin notices intended to warn site owners of issues. In this post, we’ll break down everything small business owners need to know about this vulnerability, how to update Google Language Translator, additional precautions to take, and why staying on top of updates is so essential for the security of your website.
About the Google Language Translator Plugin
The Google Language Translator plugin allows WordPress sites to automatically translate content into 100+ languages. Currently active with over 100,000 installs, it has over 3 million total downloads making it a widely-used tool. The plugin is authored by edo888 and last updated as recently as December 8, 2023.
Vulnerability Could Allow Dismissal of Critical Admin Notices
Researchers discovered that Google Language Translator versions up to and including 6.0.19 contain a vulnerability that allows any user, even unauthenticated users and bots, to dismiss admin notices. Typically, only administrators should have this ability. This means critical notices about plugin issues, vulnerabilities, or other risks could be maliciously hidden by attackers without a site owner's knowledge.
While this vulnerability does not directly enable site takeover, the ability to surreptitiously hide admin warnings poses security risks. Attackers use these kind of footholds to cover their tracks as they probe deeper into sites. So timely alerts about suspicious activities could be suppressed and erased.
The vulnerability received a CVSS severity score of 5.3 (Medium). It has been patched in version 6.0.20 of Google Language Translator.
Protect Your Website by Updating Immediately
If your website utilizes the Google Language Translator plugin, check immediately that you are running version 6.0.20 or higher. Any version before this contains the vulnerability enabling malicious dismissal of admin notices.
To update the plugin:
- In your WordPress dashboard, go to Plugins > Installed Plugins
- Find Google Language Translator and click Update if available. If not, go to Add New Plugins and search for the plugin to install the latest version.
- Visit your Admin Notices page and check for any unfamiliar dismissals by unauthorized users
For good measure, considering updating all your plugins and WordPress core software as well to the latest releases. Outdated software across the board weakens your security.
Be Proactive With WordPress Security
This vulnerability in a popular plugin highlights why site owners must be proactive about security. While the Google Language Translator developer promptly addressed this issue, previously six other vulnerabilities had been detected since 2015 underscoring the constant risks from outdated plugins.
As a small business owner without time to constantly monitor everything on your site, take these steps to improve security:
- Enable automated background updates for WordPress and plugins
- Install a security plugin like Wordfence to scan for vulnerabilities and detect threats
- Create backups of your site in case you need to restore after an attack
- Limit plugins, themes, and user accounts only to those essential to reduce avenues of attack
Keeping WordPress and plugins fully updated at all times is the best way to get out ahead of emerging threats targeting known software vulnerabilities. But layering on other security measures through plugins, backups, and limiting extensions gives overlapping protection to secure your website.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.